Wi-Fi Extender/Repeater with Bridged AP over Ethernet

Bridged AP is to extend your existing wired host router to have wireless capabilities. Clients connecting to OpenWRT will get an IP address from the wired host router.

OpenWrt bridges the LAN network with the WLAN of the device in Access Point mode. The advantage of bridging is that broadcast traffic from Wireless to LAN and vice versa works without further changes.

This document outlines the steps necessary to implement such a setup.

Note: This recipe results in a bridged LAN that will work fine for home and small networks.

The changes below assume an OpenWrt default configuration, the relevant files are:

Edit /etc/config/network and change the lan interface section to set the IP your access point should have in the future:

config interface lan
        option ifname eth0
        option type bridge
        option proto static
        option ipaddr
        option netmask
        option gateway
        option dns

This IP address must be an unused one within the network subnet of the main router. You could also change proto to dhcp and let the main router decide the access point's address, but of course from then on the access point needs a DHCP server and you will lose the ability to directly plug into your access point for maintenance.

In /etc/config/wireless, locate the existing wifi-iface section and change its network option to point to the newly created interface section.

config wifi-iface
	option device wifi0
	option network lan
	option mode ap
	option ssid OpenWrt
	option encryption none

Naturally, you should consider securing your wifi network.

service dnsmasq disable
service dnsmasq stop

Ensure the host router is connected with a lan port of the openwrt, not the wan port!

Enable the new wireless network with the following command:


Wireless Access Point - Dumb Access Point - Detailed Examples

This following describes in great detail how to configure your device as a wireless access point (AP) connected to an existing network with a main router. This is often called a dumb AP since it will not perform administrative duties such as routing, firewall, DHCP, or DNS, as these would be performed by the router or other device.

This is commonly used to add additional wireless coverage to an existing network, maybe on a different floor or to cover a dead spot. This setup is sufficient for small home or office network, but for larger networks a more sophisticated approach is often used.

Summary of configuration for a Wireless AP:

  1. The wireless AP is connected LAN-to-LAN to the main router by some means e.g. ethernet cable, 802.11s mesh, etc.
  2. The wireless AP bridges its SSID wireless interface onto its LAN bridge interface. Wireless traffic on the wireless AP goes to its bridge LAN interface, then to the main router.
  3. The wireless AP bridge LAN may have either a static or DHCP address on the same subnet as the main router bridge LAN interface.
  4. The wireless AP gateway IP address is set to the address of the main router, either in the configuration or by DHCP.
  5. The wireless AP does not provide services such as DHCP, DNS, or firewall.

These instructions refer to the interface found in OpenWrt 23.05. The interface of v21 upwards differs in significant ways from earlier versions of OpenWrt which we try to account for.

This setup requires two routers, a computer with an Ethernet port, and an Ethernet cable. We refer to the routers as the main router and the wireless AP and we assume default settings on both. The main router should already be properly configured and connected to the Internet.

Disconnect the wireless AP from your network.
Use an Ethernet cable to connect your computer to one of the LAN ports (not the Internet/WAN port) of the wireless AP.
If you use a notebook, turn off WiFi while configuring to only have a wired IP connection to your “to be” configured wireless AP.
From a browser, navigate to LuCI by going to, login, set the admin password if necessary.

Go to Network → Interfaces and click on the Edit button of the LAN interface. Ensure you are on the General Settings tab.

It is easiest to configure the wireless AP to use DHCP to obtain an address from the main router,
but this guide will show how configure a static IP address too.

Assign the wireless AP an IP address.
By default, the main router will have an address of, so use (or similar).
The address should be on the same subnet as your main router, but out of the DHCP range used when assigning addresses to connected devices.
By default, that means the wireless AP router IP should be between and
When adding multiple wireless APs, you could use,, etc.
Save and apply the new IP address.

A warning screen will appear because you changed the routers IP to Click “Apply and keep settings”.

Navigate back to the address you assigned in the previous step (e.g.
Make sure your browser uses the new IP address you assigned in the previous step.
Why? Because in the next step, the gateway needs to be changed to point to the main router, and LuCI will not allow you to change the gateway to while the wireless AP router is using that IP address.
If things are not working as expected, unplug the network cable from your computer for 10 seconds and plug in again. The currently still active DHCP server on your wireless AP will then reassign an IP to you.

Login to your router and go back to Network → Interfaces, Edit the LAN interface, General Settings tab.

Change the IPv4 gateway to your main router, by default. This sets the wireless AP router to use the main router for Internet access.

Use the main router ( for DNS. Same page but the Advanced Settings tab. Enter the IP of your main router in the Use custom DNS servers field and click +.

Use the main router for DHCP (and disable DHCP for the Wireless AP). Same page again, now the DHCP Server tab. Ensure the Ignore interface checkbox is checked.

Disable IPv6 DHCP. Same page, DHCP Server tab, click on the IPv6 Settings sub-tab. Set the RA-Service, DHCPv6-Service, and NDP-Proxy dropdowns to disabled.
In versions of OpenWrt older than 21.02: Under “Physical Settings” tab, ensure “Bridge interfaces” is ticked, and ensure BOTH of your interfaces (eth0, wlan0) are selected, in order to allow traffic between wireless and wired connections.
Click “Save”.

On the “Interface” screen, click “Save & Apply”.
The most important steps are done, your wireless AP works!

Read next steps for some fine tuning, enabling WLAN, or adding a Guest Network:

If you plan to add a “GUEST” network on your wireless AP (see this guide: guestwifi_dumbap), do not do the next steps regarding turning off services labeled firewall, dnsmasq and odhcpd because your GUEST network will need these. However deleting the WAN / WAN6 interfaces is compatible with having a GUEST network on your wireless AP.

  • To save resources on the wireless AP, disable unused services. Navigate to System → Startup. Disable the services labeled firewall, dnsmasq and odhcpd. (Perhaps ironically, click Enable to toggle.) Note even though these services are now disabled, after you flash a new image to the device they will be re-enabled. For a more permanent method see Disable Daemons Persistently.
  • Remove or disable the WAN and WAN6 interfaces. On the Network → Interfaces page, Edit the WAN and WAN6 interfaces to uncheck the Bring up on boot checkbox. Or just delete the interfaces.
  • Note that by default OpenWrt does not enable wireless access. So, from a default installation, at minimum will need to review the wireless SSIDs, enable wireless security, set country code, and then enable the wireless radios from the Network → Wireless page.
  • Click the Save and Apply button.

Use an Ethernet cable to connect one of the LAN ports on your main router to one of the LAN ports (not the WAN/Internet port) of the wireless AP. You may need to reboot either or both routers, the device connecting your main router to the Internet, and potentially any connected devices. In many cases this will not be necessary. Done!

The changes below assume an OpenWrt default configuration, the relevant files are:

Edit /etc/config/network and change the interface section:

For switch-less devices, e.g. Alix Board, wr1043nd v2

On switchless devices, simply bridge all ethernet interfaces together, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0 eth1'   # Bridges lan and wan
        option proto    'dhcp'        # Change as appropriate

For devices with switch and dedicated WAN, e.g. WNDR3700, WR1043ND v1, WR741ND v2.4

On devices with a separate WAN interface, bridge the LAN VLAN together with the WAN interface, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0.1 eth1'  # Bridges vlan 1 and wan
        option proto    'dhcp'         # Change as appropriate

Switch configuration on WR1043ND (barrier breaker).

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 5t'  # 1. add 0 in here

#config switch_vlan               # 2. comment out or delete the whole vlan 2 section
#       option device 'switch0'
#       option vlan '2'
#       option ports '0 5t'

For devices with switch only, e.g. WRT54GL

On devices where WAN and LAN are separated by switch config, reconfigure the LAN VLAN to cover all ports, remove the existing WAN interface and its related VLAN - if any.

config switch_vlan eth0_1
        option vlan     '1'
        option ports    '0 1 2 3 4 5t' # Might vary depending on the device

config interface lan
        option type     'bridge'
        option ifname   'eth0.1'      
        option proto    'dhcp'         # Change as appropriate

Switch and dedicated WAN devices post 21.01

The syntax is slightly different for these devices. You will notice that there is a config device which lists the ethernet port(s) assigned to an interface (in this case the br-lan). It will also list the assigned port under the “list ports” clause. The gotcha here is that you must add a separate line for each “list ports” added to a device. If you try to add them to one “list ports” entry space or comma separated it will not work properly. Finally you can remove/comment out any WAN interface settings identical to the above entries.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask ''
	option ipaddr ''

Edit /etc/config/wireless, and don't worry about most of it, things that might need changes are commented.

config 'wifi-device' 'radio0'
        option type    'mac80211'
        option channel '11'
        option macaddr '12:e4:4a:b3:83:1a'
        option htmode  'HT20'
        list ht_capab  'SHORT-GI-20'
        list ht_capab  'SHORT-GI-40'
        list ht_capab  'TX-STBC'
        list ht_capab  'RX-STBC1'
        list ht_capab  'DSSS_CCK-40'

config 'wifi-iface'
        option device  'radio0'
        option network 'lan'  # Set to the name of the bridged interface
        option mode    'ap'
        option ssid    'ap_myaccesspoint'
        option encryption 'psk2'  # Change as appropriate
        option key     'ap_password'

If you still need dnsmasq running for something else (e.g. TFTP server) you can do:

uci set dhcp.lan.ignore=1
uci commit dhcp
/etc/init.d/dnsmasq restart

If not disable dnsmasq service:

/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop

Disable odhcpd with uci:

uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci commit

Or disable service:

/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
/etc/init.d/firewall disable
/etc/init.d/firewall stop
rm /usr/sbin/wpa_supplicant

Reloading the network config should be enough, it should automatically restart if necessary. Alternatively, reboot.

/etc/init.d/network reload

If you would like your AP to receive IPv6 as a host only and not for routing you have to tell the DHCPv6 client not to request prefix delegation. If you do not do this the AP will reject basic IPv6 addresses. If you want to still be able to use IPv6 on the router itself change the wan6 to lan6 and @wan to @lan.

config interface 'lan6'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'

Note that although the start-up of daemons such as firewall, dnsmasq, wpa_supplicant and optionally odhcpd have been set to disabled, when a new image is flashed to the device, they will be re-enabled. To work-around this, simply add the following to /etc/rc.local on the device:

# these services do not run on dumb APs
for i in firewall dnsmasq odhcpd; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop

rm /usr/sbin/wpa_supplicant

Dumb APs will not have the data to display hostnames of the associated devices. Only MAC addresses are known to it. Users wanting to see the corresponding hostnames in the Associated Stations display in LuCI can manually populate /etc/ethers on the dumb AP:

On the router, one can extract these data with the following one-liner:

< dhcp.leases | awk '{print $2" "$4}'

See the following discussion threads for additional approaches:

DLNA and UPnP clients, and printer or SMB discovery protocols tend to work by using multicast packets. For example PlayStation, Xbox, and TVs use DLNA to detect, communicate with and stream audio/video over the network. By default on bridged interfaces on OpenWrt multicast snooping is turned off. This means all network interfaces connected to a bridge (such as a WiFi SSID and ethernet VLAN) will receive multicast packets as if they were broadcast packets.

On WiFi the slowest modulation available is used for multicast packets (so that everyone can hear them). If you have “enabled legacy 802.11b rates” on your WiFi (Advanced settings checkbox in LuCI under the WiFi settings, or option legacy_rates '1' in /etc/config/wireless file) then 1Mbps is the rate that will be used. This can completely use up the WiFi airtime with even fairly light multicast streaming.

There are two possible fixes for this, one is to enable multicast snooping: option igmp_snooping '1' under the appropriate /etc/config/network settings for the bridge. This will cause the bridge to forward only on bridge ports that have requested to receive the particular multicast group. On the other hand, if someone on WiFi requests the group, it will still flood the multicast there, and some people have reported problems with certain devices such as android phones and with ipv6 when igmp_snooping is enabled (requires further debugging to identify if there is really a problem or not). By disabling legacy 802.11b rates (option legacy_rates '0') you can at least force the use of 6Mbps or more on the WiFi multicast packets, and this opens up more airtime for other uses.

Several videos are available on the topic which may be useful for background information.
Bare in mind they are somewhat outdated and generally do not take into account everything.

Using OpenWrt v21 with DSA example:

Two videos which are outdated but explain firewall and APs:

WiFi roaming is much improved in newer mobile devices so configuring Fast Roaming, aka 802.11r, may not be required.
This video can be misleading as 802.11r has nothing to do with mesh networking.

  1. Dumb AP wireless can be configured to control access as Open/WPA/WPA2/etc. MAC-based access control is controlled by the main router.
  2. 'Static DHCP' is not covered here: this procedure creates an AP that provides wired/wireless access and won't interfere with Static DHCP.
  3. This recipe is similar to the “Bridged AP” recipe at Bridged AP. These pages should probably be merged.
  4. Firewall bridge mode support in OpenWrt is provided by the kmod-br-netfilter module.
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/07/07 12:09
  • by darksky2