Wired backhaul: connect multiple router(s)/AP(s) to each other via ethernet cable.
Wireless backhaul: connect multiple router(s)/AP(s) to each other via wifi a.k.a. wifi mesh.
So it’s not related to combining multiple wifi SSIDs into one?
Nope, that’s the job of the client (e.g. your phone).
What’s VLAN?
Virtual local area network. Imagine a big apartment complex where all the residents share the same network. A VLAN would be like creating separate apartments within the complex, so that each “apartment” has its own network and can’t see or access the other networks. This helps to keep different groups of people or devices separate and more secure.
Fast roaming?
Roaming: when a device disconnects from one access point and connects to another.
Disconnect AP1 π authenticate with AP2 π connect to AP2.
Fast roaming: change how the device roams, so it feels like you never disconnect from the network.
Authenticate with AP2 π connect to AP2 π disconnect AP1.
Should I upgrade the packages regularly?
NO. DO NOT BLINDLY UPGRADE THE PACKAGES. Unlike a full-blown consumer-ready OS, OpenWrt expecting users upgrading packages through system upgrade when there’s available. Packages written for OpenWrt are written for very, very low-end devices - routers, where memory is scarce. They usually (if not all) don’t have any fallback when something goes wrong or having backward compatibility in mind.
Luci web interface π Network π Firewall π Zones section.
Create a new zone:
Field
Value
Name
GuestZone
Input
REJECT
Output
ACCEPT
Forward
REJECT
Allow forward to destination zones
wan
Allow forward from source zones
lan or leave blank if you don’t want lan to access GuestZone
If Allow forward from source zones of GuestZone is set to lan, you’ll also need to edit the lan zone:
Allow forward to destination zones: add GuestZone
Since GuestZone is blocked from accessing the router (Input rule), we need to whitelist port 53, 67 and 68 for the router to assign DHCP and provide DNS for the guest client.
Luci web interface π Network π Interfaces π Devices tab
Have 2 bridge devices: br-lan and br-guest. Create them if they don’t exist.
General device options tab
LAN bridge
Guest bridge
Device type
Bridge device
Bridge device
Device name
br-lan
br-guest
Bridge ports
All physical LAN ports of the router
Leave blank for the moment
Bring up empty bridge
checked
checked
Save. (NOT SAVE & APPLY)
Back to configure the br-lan device: hit Configure... button.
Navigate to the Bridge VLAN filtering tab.
Enable VLAN filtering: checked
Add 2 new VLAN ID: one for guest, one for local network.
I’ll use 3 for the guest network and 10 for the local network. Avoid using 1 as it’s the default VLAN ID, and the routers are also using this for other tasks so it’s better to avoid other clients having access to it.
For LAN ports that are using to connect to
Other routers, select egress tagged for ALL the VLANs: network packages will have the VLAN tag (tagged) when they leave (egress) the router to VLAN-aware devices, your PC or laptop won’t be able to use these ports as they don’t know what to do with the VLAN tag.
Other clients, select egress untagged and Primary VLAN ID for ONE VLAN that you want to use for that port: network packages meant to go to that port will not have the VLAN tag (untagged) when they leave (egress) the router to VLAN-unaware devices, and for network packages don’t have the VLAN tag, the router will send them to the port with the Primary VLAN ID checked.
Tick the local box of all the VLANs. This will make the VLAN visible for local use, such as assigning VLAN zones to interfaces.
Save (NOT SAVE & APPLY)
Go back to Configure... the br-guest device: add Software VLAN: "br-lan.3" to the Bridge ports field.
WARNING: DO NOT HIT SAVE & APPLY YET! IF YOU ACCIDENTALLY DO SO, WAIT 90s FOR THE LUCI TO ROLLBACK THE CHANGES.
Luci web interface π Network π Interfaces π Interfaces tab
Have 2 interfaces: lan and guest. Create them if they don’t exist:
Field
LAN interface
Guest interface
Name
LAN
GUEST
Protocol
Static address
Static address
Device
br-lan.4
br-guest
Create interface
Edit if the interface already exists.
General Settings tab:
Field
LAN interface
Guest interface
Protocol
Static address
Static address
Device
br-lan.4
br-guest
Bring up on boot
checked
checked
For IPv4 address and netmask, you can use any IP in one of the below classes. The router will use the IP to assign DHCP to the clients in the same class.
Class
Range
Allowed netmask
A
10.0.0.0 to 10.255.255.255
255.0.0.0, 255.255.0.0, 255.255.255.0
B
172.16.0.0 to 172.31.255.255
255.255.0.0, 255.255.255.0
C
192.168.0.0 to 192.168.255.255
255.255.0.0, 255.255.255.0
Advanced Settings tab:
Field
LAN interface
Guest interface
Force link
checked
checked
Use default gateway
unchecked
unchecked
Firewall Settings tab:
Field
LAN interface
Guest interface
Create/Assign firewall-zone
LAN
GuestZone
Navigate to DHCP Server tab and hit Set up DHCP Server if it existelse just make sure the Ignore interface unchecked.
Skip this if you’re not planning to create a mesh backhaul.
Install requried packages: luci web interface π System π Software π Update lists
Update lists button
Search luci-proto-gre, wpad-mesh-wolfssl
Tick Overwrite files from other package(s) before hit Install.
Reboot the router(s)/AP(s).
Add interface for the other router(s)/AP(s) to connect to:
General Settings tab:
Field
Value
Name
AP1
Protocol
GRETAP tunnel over IPv4
Bring up on boot
checked
Remote IPv4 address or FQDN
IPv4 address of the other router/AP
Local IPv4 address
IPv4 address of the current router
Advanced Settings tab:
Field
Value
Force link
checked
Bind interface
lan
Don’t Fragment
unchecked
Use default gateway
unchecked
Assign the interface to the bridge(s):
br-guest: add @AP1.3 to the Bridge ports field.
Repeat the above steps as many times as the number of routers/APs you want to connect to.
Create a mesh wifi backhaul: luci web interface π Network π Wireless
Add a new wifi SSID. Some APs made specifically for mesh backhaul may have a dedicated wifi module for this purpose, I’d recommend using one just for mesh, another one for dumb AP.
Device Configuration: this will apply on the entire wifi module’s settings, skip this section when adding another SSID of the same wifi module.
General Setup: Operating frequency
Field
Value
Mode
AC or N depending on your wifi module, AX not recommended
Install luci-proto-gre, wpad-mesh-wolfssl packages then reboot.
Create a GRETAP tunnel over IPv4 interface like the main router (let’s call ROUTER), but this time:
Remote IPv4 address or FQDN: the IPv4 address of the main router.
Local IPv4 address: the IPv4 address of this AP.
Create 2 devices and 2 interfaces exactly the same as the main router if you’re using wired backhaul, except:
Devices: same as the main router, except:
Ignore the Firewall and Bridge VLAN filtering section.
Add @ROUTER.3 to the Bridge ports field of br-guest.
Interfaces:
No need to define the firewall.
Protocol of the 2 interfaces is DHCP Client
The DHCP Server tab should still have a button Set up DHCP Server, else just check the Ignore interface in the General Setup of the DHCP Server tab.
Use default gateway is checked for LAN interface. OpenWrt won’t be able to connect to the internet if this is unchecked, even though clients connected to this AP can still access the internet..
You should be able to see the IPv4(s) that the main router assigned to each interface of this AP in the Network π Interfaces π Interface tab. If don’t, remove the interface and create it again. I’ve encountered this too.
Create a wifi-mesh point has the same configuration as the main router, after you see a Mesh Point in the Associated Station, disconnect the cable between the main router and this AP to avoid loopback.
LAN interface of APs (using wireless backhaul) that you’re temporarily plugged into the main router via a non-vlan (untagged primary vlan) port.
Only LAN and GUEST interfaces of the main router can have Static address protocol, have firewall and the button Set up DHCP Server clicked. Everything else on other dumb APs must use DHCP client protocol.
firewall, dnsmasq and odhcpd are disabled on all dumb APs.
Important: there’re 3 ways to connect the LAN interfaces of the routers togethers:
Via cable using VLANs: Enable VLAN filtering
Via wireless using mesh: 802.11s and set bind interface to lan
Via GRETAP tunnel: add @ROUTER.<vlanID>/@AP.<vlanID> to the Bridge ports field of the bridge interfaces.
Since we’re already using 802.11s for mesh, we don’t need to use VLAN filtering or add GRETAP tunnel to the bridge interfaces.
