Bridged AP configuration is used to add WiFi on an existing network. This bridges the LAN with wireless device(s) in Access Point mode. The advantage of bridging is that broadcast traffic from WLAN-to-LAN and vice versa works without further changes. Wireless clients connecting to the AP will get an IP address from the wired router.

The changes below assume an default OpenWrt configuration. The relevant files are:

• /etc/config/network
• /etc/config/wireless

Edit /etc/config/network and change the lan interface section to set the IP your access point should have in the future:

config interface lan
        option ifname eth0
        option type bridge
        option proto static
        option ipaddr 192.168.1.2
        option netmask 255.255.255.0
        option gateway 192.168.1.1
        option dns 192.168.1.1

This must be an unused IP within the network subnet of the main router. You could also change proto to dhcp and let the main router decide the AP address, but of course from then on the access point needs a DHCP server and you will lose the ability to directly plug into your access point for maintenance.

In /etc/config/wireless, locate the existing wifi-iface section and change its network option to point to the newly created interface section.

config wifi-iface
	option device wifi0
	option network lan
	option mode ap
	option ssid OpenWrt
	option encryption none

Naturally, you should consider securing your wifi network.

service dnsmasq disable
service dnsmasq stop

Ensure the host router is connected with a LAN port of the wireless AP, not the WAN port!

Enable the new wireless network with the following command:

wifi

This section describes how to configure your device as a wireless access point (AP) connected to an existing network with a router. This is often called a “dumb AP” since it will not perform duties such as routing, firewall, DHCP, or DNS, as these are performed by the router or other device.

This is commonly used to add additional wireless coverage to an existing network, maybe on a different floor or to cover a dead zone. This setup is sufficient for small home or office network, but for larger networks a more sophisticated approach is often used.

These instructions refer to the DSA interface found in OpenWrt 23.05 onward. This differs from earlier versions that use swconfig which we will cover too. Required items include:

1. An existing router already configured and connected to the Internet.
2. The router/AP to be configured as a wireless AP.
3. Computer with an Ethernet port
4. Ethernet cable.

Start by disconnecting the wireless AP from your network.
Use an Ethernet cable to connect your computer to one of the LAN ports (not the Internet/WAN port) of the wireless AP.
If you use a notebook, turn off WiFi while configuring to only have a wired IP connection to your “to be” configured wireless AP.
From a browser, navigate to LuCI by going to http://192.168.1.1, login, set the admin password if necessary.

Go to Network → Interfaces and click on the Edit button of the LAN interface. Ensure you are on the General Settings tab.

It is easiest to configure the wireless AP to use DHCP to obtain an address from the main router,
but this guide will show how configure a static IP address too.

Assign the wireless AP an IP address.
By default, the main router will have an address of 192.168.1.1, so use 192.168.1.2 (or similar).
The address should be on the same subnet as your main router, but out of the DHCP range used when assigning addresses to connected devices.
By default, that means the wireless AP router IP should be between 192.168.1.2 and 192.168.1.100.
When adding multiple wireless APs, you could use 192.168.1.3, 192.168.1.4, etc.
Save and apply the new IP address.

A warning screen will appear because you changed the routers IP to 192.168.1.2. Click “Apply and keep settings”.

Navigate back to the address you assigned in the previous step (e.g. http://192.168.1.2).
Make sure your browser uses the new IP address you assigned in the previous step.
Why? Because in the next step, the gateway needs to be changed to point to the main router, and LuCI will not allow you to change the gateway to 192.168.1.1 while the wireless AP router is using that IP address.
If things are not working as expected, unplug the network cable from your computer for 10 seconds and plug in again. The currently still active DHCP server on your wireless AP will then reassign an IP to you.

Login to your router and go back to Network → Interfaces, Edit the LAN interface, General Settings tab.

Change the IPv4 gateway to your main router, 192.168.1.1 by default. This sets the wireless AP router to use the main router for Internet access.

Use the main router (192.168.1.1) for DNS. Same page but the Advanced Settings tab. Enter the IP of your main router in the Use custom DNS servers field and click +.

Use the main router for DHCP (and disable DHCP for the Wireless AP). Same page again, now the DHCP Server tab. Ensure the Ignore interface checkbox is checked.

Disable IPv6 DHCP. Same page, DHCP Server tab, click on the IPv6 Settings sub-tab. Set the RA-Service, DHCPv6-Service, and NDP-Proxy dropdowns to disabled.
In versions of OpenWrt prior to 21.02: Under “Physical Settings” tab, ensure “Bridge interfaces” is ticked, and ensure BOTH of your interfaces (eth0, wlan0) are selected, in order to allow traffic between wireless and wired connections.
Click “Save”.

On the “Interface” screen, click “Save & Apply”.
The most important steps are done, your wireless AP works!

Read next steps for some fine tuning, enabling WLAN, or adding a Guest Network:

If you plan to add a “GUEST” network on your wireless AP (see this guide: guestwifi_dumbap), do not do the next steps regarding turning off services labeled firewall, dnsmasq and odhcpd because your GUEST network will need these. However deleting the WAN / WAN6 interfaces is compatible with having a GUEST network on your wireless AP.

• To save resources on the wireless AP, disable unused services. Navigate to System → Startup. Disable the services labeled firewall, dnsmasq and odhcpd. (Perhaps ironically, click Enable to toggle.) Note even though these services are now disabled, after you flash a new image to the device they will be re-enabled. For a more permanent method see Disable Daemons Persistently.
• Remove or disable the WAN and WAN6 interfaces. On the Network → Interfaces page, Edit the WAN and WAN6 interfaces to uncheck the Bring up on boot checkbox. Or just delete the interfaces.
• Note that by default OpenWrt does not enable wireless access. So, from a default installation, at minimum will need to review the wireless SSIDs, enable wireless security, set country code, and then enable the wireless radios from the Network → Wireless page.
• Click the Save and Apply button.

Use an Ethernet cable to connect one of the LAN ports on your main router to one of the LAN ports (not the WAN/Internet port) of the wireless AP. You may need to reboot either or both routers, the device connecting your main router to the Internet, and potentially any connected devices. In many cases this will not be necessary.
Done!

The changes below assume an OpenWrt default configuration, the relevant files are:

• /etc/config/network
• /etc/config/wireless

Edit /etc/config/network and change the interface section:

On switchless devices, simply bridge all ethernet interfaces together, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0 eth1'   # Bridges lan and wan
        option proto    'dhcp'        # Change as appropriate

On devices with a separate WAN interface, bridge the LAN VLAN together with the WAN interface, remove the existing WAN interface - if any.

config interface lan
        option type     'bridge'
        option ifname   'eth0.1 eth1'  # Bridges vlan 1 and wan
        option proto    'dhcp'         # Change as appropriate

Switch configuration on WR1043ND (barrier breaker).

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 5t'  # 1. add 0 in here

#config switch_vlan               # 2. comment out or delete the whole vlan 2 section
#       option device 'switch0'
#       option vlan '2'
#       option ports '0 5t'

On devices where WAN and LAN are separated by switch config, reconfigure the LAN VLAN to cover all ports, remove the existing WAN interface and its related VLAN - if any.

config switch_vlan eth0_1
        option vlan     '1'
        option ports    '0 1 2 3 4 5t' # Might vary depending on the device

config interface lan
        option type     'bridge'
        option ifname   'eth0.1'      
        option proto    'dhcp'         # Change as appropriate

The syntax is slightly different for these devices. You will notice that there is a config device which lists the ethernet port(s) assigned to an interface (in this case the br-lan). It will also list the assigned port under the “list ports” clause. The gotcha here is that you must add a separate line for each “list ports” added to a device. If you try to add them to one “list ports” entry space or comma separated it will not work properly. Finally you can remove/comment out any WAN interface settings identical to the above entries.

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'

Edit /etc/config/wireless, and don't worry about most of it, things that might need changes are commented.

config 'wifi-device' 'radio0'
        option type    'mac80211'
        option channel '11'
        option macaddr '12:e4:4a:b3:83:1a'
        option htmode  'HT20'
        list ht_capab  'SHORT-GI-20'
        list ht_capab  'SHORT-GI-40'
        list ht_capab  'TX-STBC'
        list ht_capab  'RX-STBC1'
        list ht_capab  'DSSS_CCK-40'

config 'wifi-iface'
        option device  'radio0'
        option network 'lan'  # Set to the name of the bridged interface
        option mode    'ap'
        option ssid    'ap_myaccesspoint'
        option encryption 'psk2'  # Change as appropriate
        option key     'ap_password'

If you still need dnsmasq running for something else (e.g. TFTP server) you can do:

uci set dhcp.lan.ignore=1
uci commit dhcp
/etc/init.d/dnsmasq restart

If not disable dnsmasq service:

/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop

Disable odhcpd with uci:

uci set dhcp.lan.dhcpv6=disabled
uci set dhcp.lan.ra=disabled
uci commit

Or disable service:

/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop

/etc/init.d/firewall disable
/etc/init.d/firewall stop

rm /usr/sbin/wpa_supplicant

Reloading the network config should be enough, it should automatically restart if necessary. Alternatively, reboot.

/etc/init.d/network reload

If you would like your AP to receive IPv6 as a host only and not for routing you have to tell the DHCPv6 client not to request prefix delegation. If you do not do this the AP will reject basic IPv6 addresses. If you want to still be able to use IPv6 on the router itself change the wan6 to lan6 and @wan to @lan.

config interface 'lan6'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'

Note that although the start-up of daemons such as firewall, dnsmasq, wpa_supplicant and optionally odhcpd have been set to disabled, when a new image is flashed to the device, they will be re-enabled. To work-around this, simply add the following to /etc/rc.local on the device:

# these services do not run on dumb APs
for i in firewall dnsmasq odhcpd; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop
  fi
done

rm /usr/sbin/wpa_supplicant

Dumb APs will not have the data to display hostnames of the associated devices. Only MAC addresses are known to it. Users wanting to see the corresponding hostnames in the Associated Stations display in LuCI can manually populate /etc/ethers on the dumb AP:

On the router, one can extract these data with the following one-liner:

< dhcp.leases | awk '{print $2" "$4}'
# or
awk '$4 != "*"{print $2" "$4}' /tmp/dhcp.leases

See the following discussion threads for additional approaches:

• Using fping to populate ethers file: https://forum.openwrt.org/t/associated-stations-list-in-ap-how-to-show-host-names/63475/6
• An improved fping approach: https://forum.openwrt.org/t/second-device-not-getting-dns-entries-from-first-device-to-show-in-associated-stations/57005/14
• Propagating dhcp.leases to secondary (dumb) access points: https://forum.openwrt.org/t/associated-stations-making-hostnames-visible-across-multiple-aps/92593

DLNA and UPnP clients, and printer or SMB discovery protocols tend to work by using multicast packets. For example PlayStation, Xbox, and TVs use DLNA to detect, communicate with and stream audio/video over the network. By default on bridged interfaces on OpenWrt multicast snooping is turned off. This means all network interfaces connected to a bridge (such as a WiFi SSID and ethernet VLAN) will receive multicast packets as if they were broadcast packets.

On WiFi the slowest modulation available is used for multicast packets (so that everyone can hear them). If you have “enabled legacy 802.11b rates” on your WiFi (Advanced settings checkbox in LuCI under the WiFi settings, or option legacy_rates '1' in /etc/config/wireless file) then 1Mbps is the rate that will be used. This can completely use up the WiFi airtime with even fairly light multicast streaming.

There are two possible fixes for this, one is to enable multicast snooping: option igmp_snooping '1' under the appropriate /etc/config/network settings for the bridge. This will cause the bridge to forward only on bridge ports that have requested to receive the particular multicast group. On the other hand, if someone on WiFi requests the group, it will still flood the multicast there, and some people have reported problems with certain devices such as android phones and with ipv6 when igmp_snooping is enabled (requires further debugging to identify if there is really a problem or not). By disabling legacy 802.11b rates (option legacy_rates '0') you can at least force the use of 6Mbps or more on the WiFi multicast packets, and this opens up more airtime for other uses.

Several videos are available on the topic which may be useful for background information.
Bare in mind they are somewhat outdated and generally do not take into account everything.

Using OpenWrt v21 with DSA example:

Two videos which are outdated but explain firewall and APs:

WiFi roaming is much improved in newer mobile devices so configuring Fast Roaming, aka 802.11r, may not be required.
This video can be misleading as 802.11r has nothing to do with mesh networking.

1. Dumb AP wireless can be configured to control access via Open/WPA/WPA2/WPA3. However MAC-based access control is controlled by the main router.
2. Static DHCP is not covered here. This procedure creates an AP that provides wired/wireless access and won't interfere with Static DHCP.
3. Firewall bridge mode support in OpenWrt is provided by the kmod-br-netfilter module.