Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:guide-user:network:wifi:vlan-multiple-wifi-ssid-repeater [2019/01/19 12:42] unitelifedocs:guide-user:network:wifi:vlan-multiple-wifi-ssid-repeater [2020/09/05 13:21] – spelling, links vgaetera
Line 1: Line 1:
-====== How to Setup Wifi Repeaters with Multiple SSIDs ====== +====== Setting up Wi-Fi repeaters with multiple SSIDs with separated private, tor and guest network ======
  --- //[[og.openwrt@gmail.com|a humbly committed student]] 2019/01/19 10:31//  --- //[[og.openwrt@gmail.com|a humbly committed student]] 2019/01/19 10:31//
-The purpose of this wiki is to show users how to configure a main router and multiple access points to repeat multiple SSIDs through the use of tagged vlan switches.+ 
 +The purpose of this article is to show users how to configure a main router and multiple access points to repeat multiple SSIDs through the use of tagged VLAN switches
 + 
 +This example contains one main router that will supply the Wi-Fi SSIDs and DHCP service and two routers configured as access points. In this example, the Linksys WRT 3200acm router with OpenWrt 18.01 was used for all devices.  
 + 
 +These procedures can be done primarily on the LuCI web interface but due to me not being able to attach screenshots, I have done the configuration through the routers config files located in /etc/config during an SSH session into each router.
  
 It is recommended to be familiar with the following wiki articles to perform this task. It is recommended to be familiar with the following wiki articles to perform this task.
  
-  * [[docs:guide-user:network:vlan:creating_virtual_switches|How-To: Creating an additional virtual switch on a typical home router]] +  * [[docs:guide-user:network:vlan:creating_virtual_switches|How-to: Creating an additional virtual switch on a typical home router]] 
-  * [[docs:guide-user:network:wifi:relay_configuration|Wifi Extender or Repeater or Bridge Configuration]]+  * [[docs:guide-user:network:wifi:relay_configuration|Wi-Fi Extender or Repeater or Bridge Configuration]]
   * [[docs:guide-user:network:wifi:routedap|Routed AP]]   * [[docs:guide-user:network:wifi:routedap|Routed AP]]
   * [[docs:guide-user:network:wifi:mesh:80211s|802.11s based wireless mesh network]]   * [[docs:guide-user:network:wifi:mesh:80211s|802.11s based wireless mesh network]]
  
-===== Use-Case Scenario ===== +===== Use-case scenario =====
 This is a network topology for this example: This is a network topology for this example:
  
 [[https://creately.com/diagram/jqvt7mog/XMLuTm22lf8t2ZGA2XqaZx0sSn8%3D|Network Topology Example]] [[https://creately.com/diagram/jqvt7mog/XMLuTm22lf8t2ZGA2XqaZx0sSn8%3D|Network Topology Example]]
  
 +==== Wi-Fi and VLAN Configuration Breakdown ====
 +The SSIDs were created and bridged to their respective Network interface. Each Network interface was added to their own specific VLAN ID. 
  
-This example contains one main router that will supply the WiFi SSIDs and DHCP service and two routers configured as access points. In this example, the Linksys WRT 3200acm router with OpenWrt 18.01 was used for all devices.+The two APs were configured to use the WAN port to receive the tagged uplink connection from the tagged interface port of the previous router/hopI did this to allow me to utilize the 4 ports of the LAN which gave me more ports to connect devices to
  
-List of WiFi SSIDs:+It becomes a matching game to ensure the VLAN ID number that is attached to each of the Wi-Fi interfaces are consistent on all devices i.e. private is on VLAN1 (eth0.1), guest is on VLAN3 (eth0.3), tor is on VLAN4 (eth0.4), etc. so that each router knows the existence of the VLANs. 
 + 
 +List of Wi-Fi SSIDs: 
 + 
 +  * Private: SSID = Magick Mushroom, Gaming 
 +  * Guest: SSID = Slave 
 +  * Tor: SSID = tor
  
-  * Private 
-  * Guest 
-  * Tor 
  
 ==== Main Router Configuration Procedures: ==== ==== Main Router Configuration Procedures: ====
  
-  - Firstcreate extra vlansThis can be done via the Luci Gui>Network>Switch or the config file located in /etc/config/network. The SSIDs were created on their own respective interface+=== Switch details === 
 + 
 +^ VLAN ID      ^ Upstream side:HW switch ↔ eth1 driver^^ Downstream side:HW switch↔physical ports^^^^^ 
 +|      | CPU (eth0)    |  cpu (eth1)        |LAN1|LAN2|LAN3|LAN4|WAN| 
 +|         | tagged     | off        |untagged|untagged|untagged|tagged|off| 
 +|         | off | tagged |off|off|off|off|untagged| 
 +|         | tagged     | off        |off|off|off|tagged|off| 
 +|         | tagged     | off        |off|off|off|tagged|off| 
 + 
 +*//Tip: To determine your routers WAN CPU when there are multiple CPUs listed is to use the LuCI web interface and navigate to Network>Switch and see which row has both the CPU tagged and the WAN untaggedtogether, by defaultAnother way is to use the LuCI web interface to navigate to Network>Interfaces and see what Interface is used under the Physical Settings of the WAN // 
 + 
 +1. Create extra VLANs to match the table above. The LAN4 interface was configured to be tagged with VLAN ID numbers. The LAN4 is rebroadcasting the uplink to the next router (the midrange router).
 <hidden onHidden="/etc/config/network" onVisible="Click to see less"><code> <hidden onHidden="/etc/config/network" onVisible="Click to see less"><code>
 config interface 'loopback' config interface 'loopback'
Line 104: Line 123:
  option ports '0t 5t'  option ports '0t 5t'
  
-config interface 'lanvpn' +</code></hidden>
- option proto 'none' +
- option ifname 'tun0'+
  
-config interface 'slavevpn' +2. Create Wi-Fi interfaces. 
- option proto 'none' +
- option ifname 'tun1'+
  
-config interface 'torvpn' +:!: Be sure to make the SSID names and passwords identical to what is configured on the main router
- option proto 'none' +
- option ifname 'tun2' +
- +
-</code></hidden>+
  
-Create WiFi interfaces 
 <hidden onHidden="/etc/config/wireless" onVisible="Click to see less"><code> <hidden onHidden="/etc/config/wireless" onVisible="Click to see less"><code>
 config wifi-device 'radio0' config wifi-device 'radio0'
Line 135: Line 145:
  option ssid 'Gaming'  option ssid 'Gaming'
  option encryption 'psk-mixed'  option encryption 'psk-mixed'
- option key 'P@5sword'+ option key 'supersecretpassword'
  option wpa_disable_eapol_key_retries '1'  option wpa_disable_eapol_key_retries '1'
  
Line 154: Line 164:
  option ssid 'Magick Mushroom'  option ssid 'Magick Mushroom'
  option encryption 'psk-mixed'  option encryption 'psk-mixed'
- option key 'P@5sword'+ option key 'supersecretpassword'
  option wpa_group_rekey '0'  option wpa_group_rekey '0'
  
Line 174: Line 184:
 </code></hidden> </code></hidden>
  
-Create firewall rules+3. Create firewall rules
 <hidden onHidden="/etc/config/firewall" onVisible="Click to see less"><code> <hidden onHidden="/etc/config/firewall" onVisible="Click to see less"><code>
  
Line 310: Line 320:
  option network 'slave'  option network 'slave'
  option input 'REJECT'  option input 'REJECT'
- 
-config forwarding 
- option dest 'wan' 
- option src 'slave' 
  
 config rule config rule
Line 375: Line 381:
  option target 'DNAT'  option target 'DNAT'
  
-config rule +config forwarding 
- option name 'Allow-LAN-OpenVPN+ option dest 'wan
- option src '*' + option src 'lan'
- option dest_port '1999' +
- option proto 'tcp udp' +
- option target 'ACCEPT'+
  
-config zone +config forwarding 
- option name 'lanvpn+ option dest 'wan
- option network 'lanvpn' + option src 'tor'
- option masq '1' +
- option output 'ACCEPT' +
- option input 'ACCEPT' +
- option forward 'ACCEPT' +
- option mtu_fix '1'+
  
-config rule +config forwarding 
- option name 'Allow-SLAVE-OpenVPN+ option dest 'tor' 
- option src '*+ option src 'wan' 
- option dest_port '1111+ 
- option proto 'tcp udp+config forwarding 
- option target 'ACCEPT'+ option dest 'wan' 
 + option src 'slave' 
 + 
 +</code></hidden> 
 + 
 +4. Create DHCP configurations 
 +<hidden onHidden="/etc/config/dhcp" onVisible="Click to see less"><code> 
 +config dnsmasq 
 + option domainneeded '1' 
 + option localise_queries '1' 
 + option rebind_protection '1' 
 + option rebind_localhost '1' 
 + option local '/lan/' 
 + option domain 'lan' 
 + option expandhosts '1' 
 + option authoritative '1' 
 + option readethers '1' 
 + option leasefile '/tmp/dhcp.leases' 
 + option resolvfile '/tmp/resolv.conf.auto' 
 + option nonwildcard '1' 
 + option localservice '1' 
 + option serversfile '/tmp/adb_list.overall' 
 +        list server '8.8.8.8' 
 +        list server '8.8.4.4' 
 + 
 +config dhcp 'lan' 
 + option interface 'lan' 
 + option leasetime '12h' 
 + option dhcpv6 'server' 
 + option ra 'server' 
 + option start '2' 
 + option limit '254' 
 + option ra_management '1' 
 + 
 +config dhcp 'slave' 
 + option leasetime '12h' 
 + option interface 'slave' 
 + option start '2' 
 + option limit '254' 
 + 
 +config dhcp 'tor' 
 + option leasetime '12h' 
 + option interface 'tor' 
 + option start '2' 
 + option limit '254' 
 + 
 +config dhcp 'wan' 
 + option interface 'wan' 
 + option ignore '1' 
 + 
 +config odhcpd 'odhcpd' 
 + option maindhcp '0' 
 + option leasefile '/tmp/hosts/odhcpd' 
 + option leasetrigger '/usr/sbin/odhcpd-update' 
 + option loglevel '4' 
 + 
 +</code></hidden> 
 + 
 +==== 2nd, Mid Range AP ==== 
 +=== Switch details === 
 +^ VLAN ID      ^ Upstream side:HW switch ↔ eth1 driver^^ Downstream side:HW switch↔physical ports^^^^^ 
 +|      | CPU (eth0)    |  cpu (eth1)        |LAN1|LAN2|LAN3|LAN4|WAN| 
 +| 1     | tagged     | tagged     |untagged|untagged|untagged|tagged|tagged| 
 +| 2     | off | off        |off|off|off|off|off| 
 +| 3     | tagged     | tagged     |off|off|off|tagged|tagged| 
 +| 4     | tagged     | tagged     |off|off|off|tagged|tagged| 
 + 
 +1. Create extra VLANs to match the table above. The WAN and LAN4 interfaces were configured to be tagged with VLAN ID numbers. The WAN is receiving the uplink from the main router and LAN4 is rebroadcasting the uplink to the next router (the Rear range AP router). 
 +<hidden onHidden="/etc/config/network" onVisible="Click to see less"><code> 
 +config interface 'loopback' 
 + option ifname 'lo' 
 + option proto 'static' 
 + option ipaddr '127.0.0.1' 
 + option netmask '255.0.0.0' 
 + 
 +config globals 'globals' 
 + option ula_prefix 'fdfb:7e04:aca7::/48' 
 + 
 +config interface 'lan' 
 + option type 'bridge' 
 + option ifname 'eth0.1' 
 + option proto 'static' 
 + option netmask '255.255.255.0' 
 + option ip6assign '60' 
 + option ipaddr '192.168.0.1' 
 + option gateway '192.168.0.1' 
 + option broadcast '192.168.0.255' 
 + option dns '8.8.8.8' 
 + 
 +config interface 'wan' 
 + option ifname 'eth1.2' 
 + option proto 'dhcp' 
 + option hostname 'infraverse.network' 
 + 
 +config interface 'wan6' 
 + option ifname 'eth1.2' 
 + option proto 'dhcpv6' 
 + 
 +config switch 
 + option name 'switch0' 
 + option reset '1' 
 + option enable_vlan '1' 
 + 
 +config switch_vlan 
 + option device 'switch0' 
 + option vlan '1' 
 + option vid '1' 
 + option ports '0t 1 2 3 5t' 
 + 
 +config switch_vlan 
 + option device 'switch0' 
 + option vlan '2' 
 + option ports '4 6t' 
 + option vid '2' 
 + 
 +config interface 'slave' 
 + option type 'bridge' 
 + option proto 'static' 
 + option ipaddr '172.16.0.1' 
 + option netmask '255.255.0.0' 
 + option ifname 'eth0.3 radio1' 
 + option gateway '172.16.0.1' 
 + option broadcast '172.16.255.255' 
 + 
 +config interface 'tor' 
 + option proto 'static' 
 + option ipaddr '10.1.1.1' 
 + option netmask '255.0.0.0' 
 + option type 'bridge' 
 + option ifname 'eth0.4' 
 + 
 +config switch_vlan 
 + option device 'switch0' 
 + option vlan '3' 
 + option vid '3' 
 + option ports '0t 5t' 
 + 
 +config switch_vlan 
 + option device 'switch0' 
 + option vlan '4' 
 + option vid '4' 
 + option ports '0t 5t' 
 + 
 +</code></hidden> 
 + 
 +2. Create Wi-Fi interfaces.  
 + 
 +:!: Be sure to make the SSID names and passwords identical to what is configured on the main router 
 +<hidden onHidden="/etc/config/wireless" onVisible="Click to see less"><code> 
 +config wifi-device 'radio0
 + option type 'mac80211
 + option channel '36
 + option hwmode '11a
 + option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0' 
 + option htmode 'VHT80' 
 + option country 'US' 
 + option legacy_rates '1' 
 + 
 +config wifi-iface 'default_radio0' 
 + option device 'radio0' 
 + option network 'lan' 
 + option mode 'ap' 
 + option ssid 'Gaming' 
 + option encryption 'psk-mixed' 
 + option key 'supersecretpassword' 
 + option wpa_disable_eapol_key_retries '1' 
 + 
 +config wifi-device 'radio1' 
 + option type 'mac80211' 
 + option hwmode '11g' 
 + option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0' 
 + option country 'US' 
 + option legacy_rates '1' 
 + option distance '7.7' 
 + option channel '11' 
 + option htmode 'HT20' 
 + 
 +config wifi-iface 'default_radio1' 
 + option device 'radio1' 
 + option network 'lan' 
 + option mode 'ap' 
 + option ssid 'Magick Mushroom' 
 + option encryption 'psk-mixed' 
 + option key 'supersecretpassword' 
 + option wpa_group_rekey '0' 
 + 
 +config wifi-iface 
 + option device 'radio1' 
 + option mode 'ap' 
 + option encryption 'none' 
 + option ssid 'Slave' 
 + option isolate '1' 
 + option network 'slave' 
 + 
 +config wifi-iface 
 + option device 'radio1' 
 + option mode 'ap' 
 + option encryption 'none' 
 + option ssid 'tor' 
 + option network 'tor' 
 + 
 +</code></hidden> 
 + 
 +3. Create firewall rules 
 +<hidden onHidden="/etc/config/firewall" onVisible="Click to see less"><code> 
 + 
 +config defaults 
 + option syn_flood '1' 
 + option input 'ACCEPT
 + option output 'ACCEPT' 
 + option forward 'REJECT'
  
 config zone config zone
- option name 'slavevpn+ option name 'lan
- option network 'slavevpn' + list network 'lan'
- option masq '1'+
  option input 'ACCEPT'  option input 'ACCEPT'
  option output 'ACCEPT'  option output 'ACCEPT'
  option forward 'ACCEPT'  option forward 'ACCEPT'
 +
 +config zone
 + option name 'wan'
 + list network 'wan'
 + list network 'wan6'
 + option input 'REJECT'
 + option output 'ACCEPT'
 + option forward 'REJECT'
 + option masq '1'
  option mtu_fix '1'  option mtu_fix '1'
  
 config rule config rule
- option name 'Allow-tor-OpenVPN+ option name 'Allow-DHCP-Renew
- option src '*+ option src 'wan
- option dest_port '666+ option proto 'udp
- option proto 'tcp udp'+ option dest_port '68'
  option target 'ACCEPT'  option target 'ACCEPT'
 + option family 'ipv4'
  
-config zone +config rule 
- option name 'torvpn+ option name 'Allow-Ping
- option network 'torvpn+ option src 'wan
- option masq '1+ option proto 'icmp
- option input 'ACCEPT+ option icmp_type 'echo-request
- option output 'ACCEPT+ option family 'ipv4
- option forward 'ACCEPT+ option target 'ACCEPT'
- option mtu_fix '1'+
  
-config forwarding +config rule 
- option dest 'wan+ option name 'Allow-IGMP
- option src 'slavevpn'+ option src 'wan' 
 + option proto 'igmp' 
 + option family 'ipv4' 
 + option target 'ACCEPT'
  
-config forwarding +config rule 
- option dest 'wan+ option name 'Allow-DHCPv6
- option src 'torvpn'+ option src 'wan' 
 + option proto 'udp' 
 + option src_ip 'fc00::/6' 
 + option dest_ip 'fc00::/6' 
 + option dest_port '546' 
 + option family 'ipv6' 
 + option target 'ACCEPT'
  
-config forwarding +config rule 
- option dest 'wan+ option name 'Allow-MLD
- option src 'lanvpn'+ option src 'wan' 
 + option proto 'icmp' 
 + option src_ip 'fe80::/10' 
 + list icmp_type '130/0' 
 + list icmp_type '131/0' 
 + list icmp_type '132/0' 
 + list icmp_type '143/0' 
 + option family 'ipv6' 
 + option target 'ACCEPT'
  
-config forwarding +config rule 
- option dest 'slave+ option name 'Allow-ICMPv6-Input
- option src 'slavevpn'+ option src 'wan' 
 + option proto 'icmp' 
 + list icmp_type 'echo-request' 
 + list icmp_type 'echo-reply' 
 + list icmp_type 'destination-unreachable' 
 + list icmp_type 'packet-too-big' 
 + list icmp_type 'time-exceeded' 
 + list icmp_type 'bad-header' 
 + list icmp_type 'unknown-header-type' 
 + list icmp_type 'router-solicitation' 
 + list icmp_type 'neighbour-solicitation' 
 + list icmp_type 'router-advertisement' 
 + list icmp_type 'neighbour-advertisement' 
 + option limit '1000/sec' 
 + option family 'ipv6' 
 + option target 'ACCEPT'
  
-config forwarding +config rule 
- option dest 'tor+ option name 'Allow-ICMPv6-Forward
- option src 'torvpn'+ option src 'wan' 
 + option dest '*' 
 + option proto 'icmp' 
 + list icmp_type 'echo-request' 
 + list icmp_type 'echo-reply' 
 + list icmp_type 'destination-unreachable' 
 + list icmp_type 'packet-too-big' 
 + list icmp_type 'time-exceeded' 
 + list icmp_type 'bad-header' 
 + list icmp_type 'unknown-header-type' 
 + option limit '1000/sec' 
 + option family 'ipv6' 
 + option target 'ACCEPT'
  
-config forwarding+config rule 
 + option name 'Allow-IPSec-ESP' 
 + option src 'wan'
  option dest 'lan'  option dest 'lan'
- option src 'lanvpn'+ option proto 'esp' 
 + option target 'ACCEPT'
  
-config forwarding +config rule 
- option dest 'lanvpn'+ option name 'Allow-ISAKMP'
  option src 'wan'  option src 'wan'
 + option dest 'lan'
 + option dest_port '500'
 + option proto 'udp'
 + option target 'ACCEPT'
  
-config forwarding +config include 
- option dest 'wan' + option path '/etc/firewall.user'
- option src 'lan'+
  
-config forwarding +config include 'miniupnpd' 
- option dest 'wan+ option type 'script' 
- option src 'tor'+ option path '/usr/share/miniupnpd/firewall.include' 
 + option family 'any
 + option reload '1'
  
-config forwarding +config zone 
- option dest 'tor+ option name 'slave' 
- option src 'wan'+ option forward 'REJECT' 
 + option output 'ACCEPT' 
 + option network 'slave' 
 + option input 'REJECT' 
 + 
 +config rule 
 + option target 'ACCEPT' 
 + option proto 'tcp udp' 
 + option dest_port '53' 
 + option name 'Slave dns
 + option src 'slave'
  
 config rule config rule
  option target 'ACCEPT'  option target 'ACCEPT'
- option dest_port '67' 
- option name 'torvpn-DHCP' 
- option src 'torvpn' 
  option proto 'udp'  option proto 'udp'
 + option dest_port '67-68'
 + option name 'slave dhcp'
 + option src 'slave'
 +
 +config zone
 + option name 'tor'
 + option forward 'REJECT'
 + option output 'ACCEPT'
 + option network 'tor'
 + option input 'ACCEPT'
 + option syn_flood '1'
 + option conntrack '1'
  
 config rule config rule
 + option src 'tor'
 + option proto 'udp'
 + option dest_port '67'
  option target 'ACCEPT'  option target 'ACCEPT'
 + option name 'tor DHCP'
 +
 +config rule
 + option src 'tor'
  option proto 'tcp'  option proto 'tcp'
  option dest_port '9040'  option dest_port '9040'
- option name 'torvpn-transport+ option target 'ACCEPT
- option src 'torvpn'+ option name 'tor transport'
  
 config rule config rule
- option enabled '1' + option src 'tor'
- option target 'ACCEPT'+
  option proto 'udp'  option proto 'udp'
  option dest_port '9053'  option dest_port '9053'
- option name 'torvpn-DNS+ option target 'ACCEPT
- option src 'torvpn'+ option name 'tor dns'
  
 config redirect config redirect
- option target 'DNAT'+ option name 'Redirect-Tor-Traffic' 
 + option src 'tor' 
 + option src_dip '!10.1.1.1'
  option dest_port '9040'  option dest_port '9040'
- option name 'Redirect-torvpn-Traffic' 
  option proto 'tcp'  option proto 'tcp'
- option src 'torvpn' + option target 'DNAT'
- option src_dip '!10.1.200.1' +
- option dest 'lan'+
  
 config redirect config redirect
- option target 'DNAT' 
- option proto 'udp' 
  option name 'Redirect-Tor-DNS'  option name 'Redirect-Tor-DNS'
- option src 'torvpn'+ option src 'tor'
  option src_dport '53'  option src_dport '53'
  option dest_port '9053'  option dest_port '9053'
 + option proto 'udp'
 + option target 'DNAT'
 +
 +config forwarding
 + option dest 'wan'
 + option src 'lan'
 +
 +config forwarding
 + option dest 'wan'
 + option src 'tor'
 +
 +config forwarding
 + option dest 'tor'
 + option src 'wan'
 +
 +config forwarding
 + option dest 'wan'
 + option src 'slave'
  
 </code></hidden> </code></hidden>
  
-Create DHCP configurations+4. Create DHCP configurations
 <hidden onHidden="/etc/config/dhcp" onVisible="Click to see less"><code> <hidden onHidden="/etc/config/dhcp" onVisible="Click to see less"><code>
 config dnsmasq config dnsmasq
Line 555: Line 863:
  option loglevel '4'  option loglevel '4'
  
-config host +</code></hidden>
-        option name 'kodi' +
-        option dns '1' +
-        option mac 'b8:27:eb:e0:ad:44' +
-        option ip '192.168.0.2'+
  
-config host 
- option name 'ONSLAUGHT' 
- option dns '1' 
- option mac '28:D2:44:3A:9E:75' 
- option ip '192.168.0.3' 
  
-config host +==== 3rd, Rear Range AP ====
- option name 'ONSLAUGHT' +
- option dns '1' +
- option mac '5C:51:4F:B7:41:75' +
- option ip '192.168.0.4'+
  
-config host +=== Switch details ===
- option name 'BISHOP-MAC' +
- option dns '1' +
- option mac '00:16:CB:9C:39:D5' +
- option ip '192.168.0.5'+
  
-config host +^ VLAN ID      ^ Upstream side:HW switch ↔ eth1 driver^^ Downstream side:HW switch↔physical ports^^^^^ 
- option name 'BISHOP-MAC.WiFi' +|      | CPU (eth0)    | cpu (eth1)        | LAN1 | LAN2 | LAN3 | LAN4 | WAN | 
- option dns '1' +    | tagged     | tagged        |untagged|untagged|untagged|untagged|tagged| 
- option mac '00:17:F2:37:04:64' +| 2     | off | off |off|off|off|off|off| 
- option ip '192.168.0.6'+| 3     | tagged     | tagged        |off|off|off|off|tagged| 
 +| 4     | tagged     | tagged        |off|off|off|off|tagged|
  
-config host 
- option dns '1' 
- option mac '00:19:D2:42:48:DF' 
- option ip '192.168.0.7' 
- option name 'Gambit.Dell' 
  
-config host +1. Create extra VLANs to match the table aboveThe WAN interface was configured to be tagged with VLAN ID numbersThe WAN is receiving the uplink from the mid router. 
- option name 'uyeno' +<hidden onHidden="/etc/config/network" onVisible="Click to see less"><code>
- option dns '1+
- option mac '00:04:23:86:FE:03' +
- option ip '192.168.0.8'+
  
-config host +config interface 'loopback' 
- option dns '1+ option ifname 'lo
- option mac 'AC:FD:CE:C1:84:23+ option proto 'static
- option ip '192.168.0.10+ option ipaddr '127.0.0.1
- option name 'SuiLing.HP-5.CG530646M'+ option netmask '255.0.0.0'
  
-config host +config globals 'globals
- option name 'betas-iPhone.old+ option ula_prefix 'fdcb:2636:4335::/48'
- option dns '1' +
- option mac 'CC:08:E0:C7:B7:09' +
- option ip '192.168.0.11'+
  
-config host +config interface 'lan' 
- option name 'iPhonesiTunesSucks+ option type 'bridge
- option dns '1' + option ifname 'eth0.1' 
- option mac '18:65:90:A0:B6:FE+ option proto 'static' 
- option ip '192.168.0.12'+ option netmask '255.255.255.0' 
 + option ip6assign '60' 
 + option ipaddr '192.168.0.252' 
 + option gateway '192.168.0.1
 + option broadcast '192.168.0.255'
  
-config host +config interface 'wan' 
- option name 'Little-guy.og.iPhone+ option ifname 'eth1.2' 
- option dns '1' + option proto 'static' 
- option mac 'C8:E0:EB:D0:E1:A4+ option netmask '255.255.255.0
- option ip '192.168.0.13'+ option gateway '192.168.0.1' 
 + option broadcast '192.168.1.255
 + option ipaddr '192.168.0.252'
  
-config host +config interface 'wan6
- option dns '1+ option ifname 'eth1.2
- option mac '84:a1:34:bf:ab:a2' + option proto 'dhcpv6'
- option ip '192.168.0.14+
- option name 'betas-iPhone'+
  
-config host +config switch 
- option name 'amazon-f38b5496+ option name 'switch0
- option dns '1' + option reset '1' 
- option mac '0C:47:C9:A3:5F:EE' + option enable_vlan '1'
- option ip '192.168.0.100'+
  
-config host +config switch_vlan 
- option dns '1+ option device 'switch0
- option mac '00:1E:8F:0F:71:44+ option vlan '1
- option ip '192.168.0.31+ option vid '1
- option name 'Canon.Printer'+ option ports '0 1 2 3 4t 5t 6t'
  
-config host +config switch_vlan 
- option dns '1+ option device 'switch0
- option mac '00:30:C1:0A:0F:1D+ option vlan '2
- option ip '192.168.0.32' + option vid '2'
- option name 'HP1320.Printer'+
  
-config host +config switch_vlan 
-        option dns '1+ option device 'switch0
-        option mac '60:38:E0:C7:26:F8+ option vlan '3
-        option ip '192.168.0.252+ option vid '3
-        option name 'bb.openwrt.wrt3200acm.ap'+ option ports '4t 5t 6t'
  
-config host +config switch_vlan 
- option name 'dad.netgear-ap+ option device 'switch0
- option dns '1+ option vlan '4
- option mac '30:46:9A:18:F3:23+ option vid '4
- option ip '192.168.0.253'+ option ports '4t 5t 6t'
  
-config host +config interface 'slave' 
- option dns '1+ option proto 'static
- option mac '24:F5:A2:30:72:30+ option ipaddr '172.16.0.252
- option ip '192.168.0.254+ option netmask '255.255.255.0
- option name 'og.openwrt.wrt3200acm.ap'+ option gateway '172.16.0.1
 + option broadcast '172.16.255.255' 
 + option type 'bridge' 
 + option ifname 'eth0.3'
  
-config host +config interface 'tor
- option name 'pivpn+ option proto 'static
- option dns '1+ option ipaddr '10.1.1.252
- option mac 'B8:27:EB:13:10:FA+ option netmask '255.0.0.0' 
- option ip '192.168.0.199'+ option type 'bridge' 
 + option ifname 'eth0.4'
  
 +</code></hidden>
 +
 +2. Create Wi-Fi interfaces. 
 +
 +:!: Be sure to make the SSID names and passwords identical to what is configured on the main router
 +<hidden onHidden="/etc/config/wireless" onVisible="Click to see less"><code>
 +
 +config wifi-device 'radio0'
 + option type 'mac80211'
 + option hwmode '11a'
 + option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
 + option htmode 'VHT80'
 + option country 'US'
 + option legacy_rates '1'
 + option channel '44'
 +
 +config wifi-iface 'default_radio0'
 + option device 'radio0'
 + option network 'lan'
 + option mode 'ap'
 + option ssid 'Gaming'
 + option encryption 'psk-mixed'
 + option key 'supersecretpassword'
 + option wpa_disable_eapol_key_retries '1'
 +
 +config wifi-device 'radio1'
 + option type 'mac80211'
 + option hwmode '11g'
 + option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
 + option htmode 'HT20'
 + option country 'US'
 + option legacy_rates '1'
 + option channel '9'
 +
 +config wifi-iface 'default_radio1'
 + option device 'radio1'
 + option network 'lan'
 + option mode 'ap'
 + option ssid 'Magick Mushroom'
 + option encryption 'psk-mixed'
 + option key 'supersecretpassword'
 + option wpa_disable_eapol_key_retries '1'
 +
 +config wifi-device 'radio2'
 + option type 'mac80211'
 + option channel '36'
 + option hwmode '11a'
 + option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
 + option htmode 'VHT80'
 + option disabled '1'
 +
 +config wifi-iface 'default_radio2'
 + option device 'radio2'
 + option network 'lan'
 + option mode 'ap'
 + option ssid 'OpenWrt'
 + option encryption 'none'
 +
 +config wifi-iface
 + option device 'radio1'
 + option mode 'ap'
 + option encryption 'none'
 + option ssid 'Slave'
 + option isolate '1'
 + option network 'slave'
 +
 +config wifi-iface
 + option device 'radio1'
 + option mode 'ap'
 + option encryption 'none'
 + option ssid 'tor'
 + option isolate '1'
 + option network 'tor'
  
 </code></hidden> </code></hidden>
  
 +3. Create firewall rules
 +<hidden onHidden="/etc/config/firewall" onVisible="Click to see less"><code>
  
-==== 2nd, Mid Range AP ====+config defaults 
 + option syn_flood '1' 
 + option input 'ACCEPT' 
 + option output 'ACCEPT' 
 + option forward 'REJECT'
  
-create a guest wireless interface +config zone 
-<hidden onHidden="Click to read more" onVisible="Click to see less"><code>Hidden text</code></hidden>+ option name 'lan' 
 + option input 'ACCEPT' 
 + option output 'ACCEPT' 
 + option forward 'ACCEPT' 
 + option network 'lan'
  
-create a 3rd wireless interface +config zone 
-<hidden onHidden="Click to read more" onVisible="Click to see less"><code>Hidden text</code></hidden>+ option name 'wan' 
 + option input 'REJECT' 
 + option output 'ACCEPT' 
 + option forward 'REJECT' 
 + option masq '1' 
 + option mtu_fix '1' 
 + option network 'wan wan6'
  
-<hidden onHidden="Click to read more" onVisible="Click to see less"><code>Hidden text</code></hidden>+config forwarding 
 + option src 'lan' 
 + option dest 'wan'
  
-==== 3rd, Rear Range AP ====+config rule 
 + option name 'Allow-DHCP-Renew' 
 + option src 'wan' 
 + option proto 'udp' 
 + option dest_port '68' 
 + option target 'ACCEPT' 
 + option family 'ipv4'
  
-<hidden onHidden="Click to read more" onVisible="Click to see less"><code>Hidden text</code></hidden>+config rule 
 + option name 'Allow-Ping' 
 + option src 'wan' 
 + option proto 'icmp' 
 + option icmp_type 'echo-request' 
 + option family 'ipv4' 
 + option target 'ACCEPT' 
 + 
 +config rule 
 + option name 'Allow-IGMP' 
 + option src 'wan' 
 + option proto 'igmp' 
 + option family 'ipv4' 
 + option target 'ACCEPT' 
 + 
 +config rule 
 + option name 'Allow-DHCPv6' 
 + option src 'wan' 
 + option proto 'udp' 
 + option src_ip 'fc00::/6' 
 + option dest_ip 'fc00::/6' 
 + option dest_port '546' 
 + option family 'ipv6' 
 + option target 'ACCEPT' 
 + 
 +config rule 
 + option name 'Allow-MLD' 
 + option src 'wan' 
 + option proto 'icmp' 
 + option src_ip 'fe80::/10' 
 + list icmp_type '130/0' 
 + list icmp_type '131/0' 
 + list icmp_type '132/0' 
 + list icmp_type '143/0' 
 + option family 'ipv6' 
 + option target 'ACCEPT' 
 + 
 +config rule 
 + option name 'Allow-ICMPv6-Input' 
 + option src 'wan' 
 + option proto 'icmp' 
 + list icmp_type 'echo-request' 
 + list icmp_type 'echo-reply' 
 + list icmp_type 'destination-unreachable' 
 + list icmp_type 'packet-too-big' 
 + list icmp_type 'time-exceeded' 
 + list icmp_type 'bad-header' 
 + list icmp_type 'unknown-header-type' 
 + list icmp_type 'router-solicitation' 
 + list icmp_type 'neighbour-solicitation' 
 + list icmp_type 'router-advertisement' 
 + list icmp_type 'neighbour-advertisement' 
 + option limit '1000/sec' 
 + option family 'ipv6' 
 + option target 'ACCEPT' 
 + 
 +config rule 
 + option name 'Allow-ICMPv6-Forward' 
 + option src 'wan' 
 + option dest '*' 
 + option proto 'icmp' 
 + list icmp_type 'echo-request' 
 + list icmp_type 'echo-reply' 
 + list icmp_type 'destination-unreachable' 
 + list icmp_type 'packet-too-big' 
 + list icmp_type 'time-exceeded' 
 + list icmp_type 'bad-header' 
 + list icmp_type 'unknown-header-type' 
 + option limit '1000/sec' 
 + option family 'ipv6' 
 + option target 'ACCEPT' 
 + 
 +config rule 
 + option name 'Allow-IPSec-ESP' 
 + option src 'wan' 
 + option dest 'lan' 
 + option proto 'esp' 
 + option target 'ACCEPT' 
 + 
 +config rule 
 + option name 'Allow-ISAKMP' 
 + option src 'wan' 
 + option dest 'lan' 
 + option dest_port '500' 
 + option proto 'udp' 
 + option target 'ACCEPT' 
 + 
 +config include 
 + option path '/etc/firewall.user' 
 + 
 +config zone 
 + option name 'slave' 
 + option input 'ACCEPT' 
 + option forward 'REJECT' 
 + option output 'ACCEPT' 
 + option network 'slave' 
 + 
 +config zone 
 + option name 'tor' 
 + option input 'ACCEPT' 
 + option forward 'REJECT' 
 + option output 'ACCEPT' 
 + option network 'tor' 
 + 
 +</code></hidden> 
 + 
 +4. Create DHCP configurations 
 +<hidden onHidden="/etc/config/dhcp" onVisible="Click to see less"><code> 
 + 
 +config dnsmasq 
 + option domainneeded '1' 
 + option boguspriv '1' 
 + option filterwin2k '0' 
 + option localise_queries '1' 
 + option rebind_protection '1' 
 + option rebind_localhost '1' 
 + option local '/lan/' 
 + option domain 'lan' 
 + option expandhosts '1' 
 + option nonegcache '0' 
 + option authoritative '1' 
 + option readethers '1' 
 + option leasefile '/tmp/dhcp.leases' 
 + option resolvfile '/tmp/resolv.conf.auto' 
 + option nonwildcard '1' 
 + option localservice '1' 
 + 
 +config dhcp 'lan' 
 + option interface 'lan' 
 + option dhcpv6 'server' 
 + option ra 'server' 
 + option ignore '1' 
 + option ra_management '1' 
 + 
 +config dhcp 'wan' 
 + option interface 'wan' 
 + option ignore '1' 
 + 
 +config odhcpd 'odhcpd' 
 + option maindhcp '0' 
 + option leasefile '/tmp/hosts/odhcpd' 
 + option leasetrigger '/usr/sbin/odhcpd-update' 
 + option loglevel '4' 
 + 
 +</code></hidden>
  
 Resources: Resources:
-  * https://openwrt.org/docs/guide-user/network/vlan/creating_virtual_switches +  * [[docs:guide-user:network:vlan:creating_virtual_switches]] 
-  * https://openwrt.org/docs/guide-user/network/wifi/relay_configuration +  * [[docs:guide-user:network:wifi:relay_configuration]] 
-  * https://openwrt.org/docs/guide-user/network/wifi/routedap +  * [[docs:guide-user:network:wifi:routedap]] 
-  * https://openwrt.org/docs/guide-user/network/wifi/mesh/80211s+  * [[docs:guide-user:network:wifi:mesh:80211s]] 
  • Last modified: 2021/11/04 09:43
  • by trendy