LEDE: Setting up a WLAN Access Point serving multiple SSIDs

I have already shown how you can seperate Devices based on their workload into different VLANs.

If you want to cover a larger region in your house with WLAN you will have to use multiple WLAN Access Points. Normally the WLAN Access Points will only serve one SSID.

But for many of these Access Points there is the possibility to use OpenWRT or LEDE as alternative OS. I will describe how to install LEDE on a TP-Link WR902AC.

You can have a look at the technical specifications of the TP-Link WR902AC in the LEDE Wiki: https://wiki.openwrt.org/toh/tp-link/tl-wr902ac

You also find the Link to the necessary Snapshot LEDE Firmware which you have to download because we will use it later on.

Installing the LEDE Firmware on the WR902AC

The first step is now to connect to the Stock Firmware of the WR902AC:

After powering up the WR902AC you will see two WLANs (2.4GHz and 5GHz). Just connect to one of the two WLANs using the Password which is printed on the device.

You will get an IP-Address in the class C network 192.168.0.0/24, the WR902AC will have the IP-Address 192.168.0.1.

Now you can connect using a Web-Browser to the address 192.168.0.1 and log in using the user admin using the complex password admin.

Navigating to: Advanced -> System Tools -> Firmware Upgrade you have to specify the LEDE Firmware (lede-ar71xx-generic-tl-wr902ac-v1-squashfs-factory.bin)

Now press Upgrade and wait until the Access Point has rebooted.

Now connect the Access Point via Ethernet to your computer.

The LEDE default IP-Address for the Access Point will be 192.168.1.1.

MacBook-Pro:~ moshous$ ssh -l root 192.168.1.1

BusyBox v1.27.2 () built-in shell (ash)
     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (SNAPSHOT, r5388-6fcf422)
    \________\/    -----------------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password

in order to prevent unauthorized SSH logins.

That was the most critical part – the LEDE firmware has been installed on the WR902AC.

Configuring the Access Point to serve multiple SSIDs

The default network for the br-lan is 192.168.1.0/24, the default IP-Address of WR902AC is 192.168.1.1.

root@LEDE:~# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.1.0   0.0.0.0         255.255.255.0   U         0 0          0 br-lan

Now we have to configure a network address which is unique in our network.

Therefore we have to edit the file /etc/config/network and edit the “option ipaddr” and the “option gateway” for lan:

root@LEDE:~# cat /etc/config/network 
config interface 'loopback'
  option ifname 'lo'
  option proto 'static'
  option ipaddr '127.0.0.1'
  option netmask '255.0.0.0'
  config globals 'globals'
  option ula_prefix 'fd41:9167:9bc8::/48'

config interface 'lan'
  option type 'bridge'
  option ifname 'eth0'
  option proto 'static'
  option ipaddr '192.168.178.6'
  option netmask '255.255.255.0'
  option gateway '192.168.178.2'
  option ip6assign '60'

Disable DHCP:

root@LEDE:~# service odhcpd disable
root@LEDE:~# uci set dhcp.lan.ignore=1
root@LEDE:~# uci commit dhcp

Add DNS Server entry to /etc/dnsmasq.conf:

server = 192.168.178.2

Now we can reboot the Access Point and connect it’s Ethernet Port to our network.

After the reboot, your network check your IP Address:

root@LEDE:~# netstat -rn
Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.178.2   0.0.0.0         UG        0 0          0 br-lan
192.168.178.0   0.0.0.0         255.255.255.0   U         0 0          0 br-lan

Install Luci, the LEDE GUI

Now we have to update the package list:

root@LEDE:/etc/config# opkg update
Downloading http://downloads.lede-project.org/snapshots/targets/ar71xx/generic/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_core
Downloading http://downloads.lede-project.org/snapshots/targets/ar71xx/generic/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_base
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/base/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_luci
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/luci/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_packages
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/packages/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_routing
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/routing/Packages.sig
Signature check passed.
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/reboot_telephony
Downloading http://downloads.lede-project.org/snapshots/packages/mips_24kc/telephony/Packages.sig
The next step is to install LUCI:
root@LEDE:/etc/config# opkg install luci
Installing luci (git-17.316.07773-4891dea-1) to root...
[...]

Configuring luci-base.
Configuring luci-mod-admin-full.
Configuring luci-proto-ipv6.
Configuring uhttpd.
Configuring uhttpd-mod-ubus.
Configuring rpcd-mod-rrdns.
Configuring luci.
Enable the Webserver on reboot and start it.
root@LEDE:/etc/config# /etc/init.d/uhttpd start
root@LEDE:/etc/config# /etc/init.d/uhttpd enable

Now you also connect to the Access Point using a web browser.

Creating VLANs on the WR902AC

There is a nice description about the different possibilities to create VLAN in the LEDE documentation: VLAN explained

“Single-port devices and devices where there is an ethernet controller for each port […] will have VLAN managed by OS drivers.”

The WR902AC has only one Ethernet port and indeed it has no internal Ethernet switch. So we have to configure the VLANs on the OS drivers.

To test the configuration I prepare my Turris Omnia to have Port 3 with the LAN (VLAN 1) untagged, DMZ tagged as VLAN 3 and GAST tagged as VLAN 4 and connect the WR902AC to it.

To add VLAN devices you have to edit /etc/config/network and add a stanza. The following example will add two VLANs (DMZ and GAST).

config interface 'DMZ'
        option ifname 'eth0.3'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.179.6'
        option type 'bridge'

config interface 'GAST'
        option ifname 'eth0.4'
        option _orig_ifname 'eth0'
        option _orig_bridge 'false'
        option proto 'static'
        option ipaddr '192.168.180.6'
        option netmask '255.255.255.0'

To enable the configuration you have to restart the network services:

root@LEDE:~# /etc/init.d/network restart

Now we can test the network configuration by pinging the connected Turris Omnia:

root@LEDE:~# ping -c 1 192.168.178.2
PING 192.168.178.2 (192.168.178.2): 56 data bytes
64 bytes from 192.168.178.2: seq=0 ttl=64 time=1.285 ms
--- 192.168.178.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.285/1.285/1.285 ms

root@LEDE:~# ping -c 1 192.168.179.2
PING 192.168.179.2 (192.168.179.2): 56 data bytes
64 bytes from 192.168.179.2: seq=0 ttl=64 time=1.290 ms
--- 192.168.179.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.290/1.290/1.290 ms

root@LEDE:~# ping -c 1 192.168.180.2
PING 192.168.180.2 (192.168.180.2): 56 data bytes
64 bytes from 192.168.180.2: seq=0 ttl=64 time=0.733 ms
--- 192.168.180.2 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.733/0.733/0.733 ms

Adding WLAN SSIDs to the different VLANs

To add the SSIDs you have to edit the /etc/config/wireless config file:

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'LEDE'
        option encryption 'none'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option encryption 'none'
        option network 'DMZ'
        option ssid 'LEDE_DMZ'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option encryption 'none'
        option ssid 'LEDE_GAST'
        option network 'GAST'

To enable the configuration you have to restart the network services:

root@LEDE:~# /etc/init.d/network restart

Checking the configuration

There are now three WLANs advertised by the WR902AC. You now can connect to to each of the SSIDs and check if your computer will get an DHCP address from the Turris Omnia. As example I show the Interface and Wireless sections of the LUCI GUI:

Securing the WR902AC

After we have successfully connected to the Access Point via WLAN to all SSIDs, now please secure the device by:

  • setting a password for the WR902AC
  • enabling Wireless Security

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.