Wireless Access Point (aka "Dumb" Access Point)

This page describes how to configure your device as a wireless access point (AP), sometimes called a “dumb AP connected to an existing network with a single main router. The term dumb is used since the AP will not provide administrative duties such as routing, firewall, DHCP, or DNS, as these will be performed by the main router or other device.

One common reason for this is to add additional wireless coverage to an existing network, maybe on a different floor or to cover a wireless dead spot. This setup is sufficient for small home or office network, but for larger networks a more sophisticated approach is often used.

Summary of configuration for a Wireless AP:

  1. The wireless AP is connected LAN-to-LAN to the main router by some means e.g. ethernet cable, 802.11s mesh, etc.
  2. The wireless AP bridges its SSID wireless interface onto its LAN bridge interface. Wireless traffic on the wireless AP goes to its bridge LAN interface, then to the main router.
  3. The wireless AP bridge LAN may have either a static or DHCP address on the same subnet as the main router bridge LAN interface.
  4. The wireless AP gateway IP address is set to the address of the main router, either in the configuration or by DHCP.
  5. The wireless AP does not provide DHCP service, DNS resolution, or a firewall.

Several videos are available on the topic which may be useful for background information.
Bare in mind they are somewhat outdated and generally do not take into account everything.

Using OpenWrt v21 with DSA example:

Two videos which are outdated but explain firewall and APs:

WiFi roaming is much improved in newer mobile devices so configuring Fast Roaming, aka 802.11r, may not be required.
This video can be misleading as 802.11r has nothing to do with mesh networking.

These instructions refer to the interface found in OpenWrt 23.05. The interface of v21 upwards differs in significant ways from earlier versions of OpenWrt which we try to account for... but no guarantees.

This setup requires two routers, a computer with an Ethernet port, and an Ethernet cable. We refer to the routers as the main router and the wireless AP and we assume default settings on both. The main router should already be properly configured and connected to the Internet.

Disconnect the wireless AP from your network.
Use an Ethernet cable to connect your computer to one of the LAN ports (not the Internet/WAN port) of the wireless AP.
If you use a notebook, turn off WiFi while configuring your AP to only have one IP connection, a wired one, to your “to be” configured wireless AP.
From a browser, navigate to LuCI by going to http://192.168.1.1. Login. Change the admin password if necessary.

Go to Network → Interfaces and click on the Edit button of the LAN interface. Ensure you are on the General Settings tab.

It is best to configure the wireless AP to use DHCP to obtain an address from the main router,
but this guide will show how to do it the alternative way - by configuring a static IP address.

Give the wireless AP an IP address “next to” your main router.
By default, the main router will have an address of 192.168.1.1, so use 192.168.1.2. (or something like that.)
The address should be on the same subnet as your main router but out of the DHCP range used when assigning addresses to connected devices.
By default, that means the wireless AP router IP should be between 192.168.1.2 and 192.168.1.100.
If you're adding multiple wireless APs, you could use 192.168.1.3, 192.168.1.4, etc.
Save and apply the new IP address.

A warning screen will apear because you changed the routers IP to 192.168.1.2. Press “Apply and keep settings”.

Navigate back to the address you assigned in the previous step (say, http://192.168.1.2).
Make sure your browser uses the new IP address you assigned in the previous step.
Why? Because in the next step, the gateway needs to be changed to point to the main router, and LuCI will not allow you to change the gateway to 192.168.1.1 while the wireless AP router is using that IP address.
If things are not working as expected, unplug the network cable from your computer for 10 seconds and plug in again. The currently still active DHCP Server on your wirless AP will then reasign a valid IP to you.

Login in your router and go back to Network → Interfaces, Edit the LAN interface, General Settings tab.

Change the IPv4 gateway to point to your main router, 192.168.1.1 by default. This sets the wireless AP router to use the main router for Internet access.

Use the main router (192.168.1.1) for DNS. Same page but the Advanced Settings tab. Enter the IP of your main router in the Use custom DNS servers field and click +.

Use the main router for DHCP (and disable DHCP for the Wireless AP). Same page again, now the DHCP Server tab. Ensure the Ignore interface checkbox is checked.

Disable IPv6 DHCP. Same page, DHCP Server tab again, but click on the IPv6 Settings sub-tab. Set the RA-Service, DHCPv6-Service, and NDP-Proxy dropdowns to disabled.
In versions of OpenWrt older than 21.02.0: Under “Physical Settings” tab, ensure “Bridge interfaces” is ticked, and ensure BOTH of your interfaces (eth0, wlan0) are selected, in order to allow traffic between wireless and wired connections.
Press “Save”

On the “Interface” screen, press “Save & Apply”.
Most important steps are done, your wireless AP works!

Review next steps for some fine tuning, enable WLAN or even add a Guest Network:

If you plan to add a “GUEST” network on your wireless AP (see this guide: guestwifi_dumbap),
do not do the next steps regarding turning off services labeled firewall, dnsmasq and odhcpd because your GUEST network will need these.
Deleting the WAN / WAN6 interfaces is compatible with having a GUEST network on your wireless AP.

- To save resources on the wireless AP router, disable unneeded services. Navigate to System → Startup. Disable the services labeled firewall, dnsmasq and odhcpd. (Perhaps ironically, click Enable to toggle.) Note even though these services are now disabled, after you flash a new image to the device they will be re-enabled. For a more permanent fix see Disable Daemons Persistently.
- Optionally, remove or disable the WAN and WAN6 interfaces. On the Network → Interfaces page, Edit the WAN and WAN6 interfaces to uncheck the Bring up on boot checkbox. Or just delete the interfaces.
- Note that by default OpenWrt does not enable wireless access. So, from a default installation, at the very least you will need to review the wireless SSIDs, enable wireless security, and then enable the wireless networks from the Network → Wireless page. Click the Save and Apply button.

Use an Ethernet cable to connect one of the LAN ports on your main router to one of the LAN ports (not the WAN/Internet port) of the wireless AP router. You may need to reboot or power cycle either or both routers, the device connecting your main router to the Internet, and potentially any connected devices. In many cases this will not be necessary. Done!

The changes below assume an OpenWrt default configuration, the relevant files are:

Edit /etc/config/network and change the interface section:

For switch-less devices, e.g. Alix Board, wr1043nd v2

On switchless devices, simply bridge all ethernet interfaces together, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0 eth1'   # Bridges lan and wan
        option proto    'dhcp'        # Change as appropriate

For devices with switch and dedicated WAN, e.g. WNDR3700, WR1043ND v1, WR741ND v2.4

On devices with a separate WAN interface, bridge the LAN VLAN together with the WAN interface, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0.1 eth1'  # Bridges vlan 1 and wan
        option proto    'dhcp'         # Change as appropriate

Switch configuration on WR1043ND (barrier breaker).

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 5t'  # 1. add 0 in here

#config switch_vlan               # 2. comment out or delete the whole vlan 2 section
#       option device 'switch0'
#       option vlan '2'
#       option ports '0 5t'

For devices with switch only, e.g. WRT54GL

On devices where WAN and LAN are separated by switch config, reconfigure the LAN VLAN to cover all ports, remove the existing WAN interface and its related VLAN - if any.

config switch_vlan eth0_1
        option vlan     '1'
        option ports    '0 1 2 3 4 5t' # Might vary depending on the device

config interface lan
        option type     'bridge'
        option ifname   'eth0.1'      
        option proto    'dhcp'         # Change as appropriate

Switch and dedicated WAN devices post 21.01

The syntax is slightly different for these devices. You will notice that there is a config device which lists the ethernet port(s) assigned to an interface (in this case the br-lan). It will also list the assigned port under the “list ports” clause. The gotcha here is that you must add a separate line for each “list ports” added to a device. If you try to add them to one “list ports” entry space or comma separated it will not work properly. Finally you can remove/comment out any WAN interface settings identical to the above entries.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'

Edit /etc/config/wireless, and don't worry about most of it, things that might need changes are commented.

config 'wifi-device' 'radio0'
        option type    'mac80211'
        option channel '11'
        option macaddr '12:e4:4a:b3:83:1a'
        option htmode  'HT20'
        list ht_capab  'SHORT-GI-20'
        list ht_capab  'SHORT-GI-40'
        list ht_capab  'TX-STBC'
        list ht_capab  'RX-STBC1'
        list ht_capab  'DSSS_CCK-40'

config 'wifi-iface'
        option device  'radio0'
        option network 'lan'  # Set to the name of the bridged interface
        option mode    'ap'
        option ssid    'ap_myaccesspoint'
        option encryption 'psk2'  # Change as appropriate
        option key     'ap_password'

If you still need dnsmasq running for something else (e.g. TFTP server) you can do:

uci set dhcp.lan.ignore=1
uci commit dhcp
/etc/init.d/dnsmasq restart

If not disable dnsmasq service:

/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop

Disable odhcpd with uci:

uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci commit

Or disable service:

/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
/etc/init.d/firewall disable
/etc/init.d/firewall stop
rm /usr/sbin/wpa_supplicant

Reloading the network config should be enough, it should automatically restart if necessary. Or just reboot.

/etc/init.d/network reload

If you would like your AP to receive IPv6 as a host only and not for routing you have to tell the DHCPv6 client not to request prefix delegation. If you do not do this the AP will reject basic IPv6 addresses. If you want to still be able to use IPv6 on the router itself change the wan6 to lan6 and @wan to @lan.

config interface 'lan6'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'

Note that although the start-up of daemons such as firewall, dnsmasq, wpa_supplicant and optionally odhcpd have been set to disabled, when a new image is flashed to the device, they will be re-enabled. To work-around this, simply add the following to /etc/rc.local on the device:

# these services do not run on dumb APs
for i in firewall dnsmasq odhcpd; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop
  fi
done

rm /usr/sbin/wpa_supplicant

Dumb APs will not have the data to display hostnames of the associated devices. Only MAC addresses are known to it. Users wanting to see the corresponding hostnames in the Associated Stations display in LuCI can manually populate /etc/ethers on the dumb AP:

On the router, one can extract this data with the following one-liner:

< dhcp.leases | awk '{print $2" "$4}'

See the following discussion threads for additional approaches:

DLNA and UPnP clients, and printer or SMB discovery protocols tend to work by using multicast packets. For example PlayStation, Xbox, and TVs use DLNA to detect, communicate with and stream audio/video over the network. By default on bridged interfaces on OpenWrt multicast snooping is turned off. This means all network interfaces connected to a bridge (such as a WiFi SSID and ethernet VLAN) will receive multicast packets as if they were broadcast packets.

On WiFi the slowest modulation available is used for multicast packets (so that everyone can hear them). If you have “enabled legacy 802.11b rates” on your WiFi (Advanced settings checkbox in LuCI under the WiFi settings, or option legacy_rates '1' in /etc/config/wireless file) then 1Mbps is the rate that will be used. This can completely use up the WiFi airtime with even fairly light multicast streaming.

There are two possible fixes for this, one is to enable multicast snooping: option igmp_snooping '1' under the appropriate /etc/config/network settings for the bridge. This will cause the bridge to forward only on bridge ports that have requested to receive the particular multicast group. On the other hand, if someone on WiFi requests the group, it will still flood the multicast there, and some people have reported problems with certain devices such as android phones and with ipv6 when igmp_snooping is enabled (requires further debugging to identify if there is really a problem or not). By disabling legacy 802.11b rates (option legacy_rates '0') you can at least force the use of 6Mbps or more on the WiFi multicast packets, and this opens up more airtime for other uses.

  • Dumb AP wireless can be configured to control access as Open/WPA/WPA2/etc. MAC-based access control is controlled by the main router.
  • 'Static DHCP' is not covered here: this procedure creates an AP that provides wired/wireless access and won't interfere with Static DHCP.
  • This recipe is similar to the “Bridged AP” recipe at Bridged AP. These pages should probably be merged.
  • Firewall bridge mode support in OpenWrt is provided by the kmod-br-netfilter module.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/02/01 19:55
  • by palebloodsky