In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. The advantage of bridging is that broadcast traffic from Wireless to LAN and vice versa works without further changes.
In order to separate the wireless network from LAN, a new network with the corresponding DHCP and firewall settings must be created. This document outlines the steps necessary to implement such a setup.
The changes below assume an OpenWrt default configuration, the relevant files are:
/etc/config/network and define a new
Note that no
ifname option is set here, it is not required since the wireless network will reference this section later.
| Make sure that the chosen IP address is in a different subnet than the one used by the
/etc/config/wireless, locate the existing
wifi-iface section and change its network option to point to the newly created interface section.
In the existing section,
network was changed to point to the
wifi interface defined in the previous step.
Optionally change the last line for
option encryption 'psk2' and add the line
option key 'secret key' to enable WPA encryption
Since wireless is not bridged to LAN anymore, no DHCP leases are served to wireless clients yet.
In order to support DHCP on wireless as well, a new
dhcp pool must be defined in
By default, traffic originating from the wireless network is not allowed to reach the WAN or the LAN interface. There is also no firewall zone defined for it yet, so only the default policies apply to the wireless network.
/etc/config/firewall and add new
zone section covering the
Now that the zone is defined, traffic forwarding control for the wireless network can be implemented.
To allow wireless clients to use the WAN interface, add the following
If LAN clients should be able to contact wireless clients, add the following forwarding:
To allow wireless clients to reach the LAN network, add the reversed rule below as well:
ifup wifi wifi
If you are using IPv6 prefix delegation for subnetting on the lan side, you will need to adjust the interface parameter
ip6assign. The single prefix will need to be split. e.g. if it was 64 for the
lan interface it could be set to 63 for the
lan interface and 63 for the
wifi interface. Failure to do this will give the 64 prefix to the
lan interface, probably leaving no IPv6 prefix on