On the OpenWRT Switch page, I have set LAN port 1 (along with a backup LAN port 2 but you can just use a single port) as the VLAN trunk port (tagged) to allow it to carry the traffic through to the VLAN access ports (untagged) [home = VLAN 3 && guest = VLAN 4]. This will create the sub-interfaces eth0.3 and eth0.4 which will contain the separated ethernet Layer 2 traffic from the WiFi clients (ARP, DHCP via dnsmasq, mDNS, etc).
Note: Make sure to tag the CPU along with the LAN ports and ignore the untagged VLAN 5, I’m using it as an isolated management network (firewalled off with iptables at Layer 3).
Linksys WRT32X Switch Setup:
You can then go to the Networks section in the UniFi AP Site configuration and add a VLAN-Only Network (set the ID to 3 or 4) and then on the Wireless page create an SSID which uses that Network Name in the WiFi settings.
Note: To achieve a similar setup on a OpenWRT AP, you can use the WAN port tagged on those same VLAN numbers and then on the Interfaces page create an unmanaged interface type from the related VLAN sub-interface listed – this interface can then be assigned to the SSID network under the Wireless networks page.
There is a small issue that I noticed in the UAP-AC-PRO firmware images — I’ve posted this issue on the community forums and also filed a tracker report. It’s a shell script (or incomplete image) type of error depending on how you look at it but if you SSH into the AP you’ll notice this trace file:
So starting 2021 and continuing on the theme of UFO shaped things, I decided to replace our home AP (TP-Link Archer C7 V5 – good Qualcomm Atheros radios, low CPU/RAM/Disk) and the guest AP (Linksys WRT1900ACS – good RAM/CPU/Disk, bad Marvell radio driver support) which were both running OpenWRT. I was able to achieve a fairly stable and fast setup with those routers by keeping the tp-link minimal and the linksys in a basic wireless environment setup.
I wanted to try a new product to replace them both and also help expand my knowledge along the way. I picked up a couple of Ubiquiti APs to run each network type (at 802.11ac-3×3-1300mbps) and they are connected via a CAT6-gigabit-ethernet cable on VLAN-ports to a Linksys WRT32X router. This OpenWRT router is acting as a wireless client bridge to carry all the internal network traffic via a dedicated and separated 802.11ac backchannel to another TP-Link Archer C7 V5 router in the basement which is then connected to a cable modem for internet access.
They were pretty easy and straight forward to setup (just remember to download Java 8 for the UniFi controller software). They have good CPU/RAM and stable wireless radio capabilities. They came with the POE injectors in the box (no cables though) and the OS on them is very powerful allowing for features like 5Ghz band steering in a dual frequency, single SSID WiFi setup.
They do one thing and one thing well which is exactly what I was looking for!
A Long Time Ago
Back To The Future
Edit: There seems to be a DHCP issue going on with the firmware image, make sure to:
Well this year has been a rough one so far and it can be hard to stay sane while being inside all the time! I tried to keep busy as much as possible to help stay active — I was gifted a cool xmas toy to play with and observe in the mean time (I had my money on aliens making an appearance before the end of the year but it looks like this will have to do for now…):
I edited some squircle-style icons for macOS BigSur (VLC, BBEdit, iTerm, Transmission, Chrome) and I thought I’d post them here in case anyone wants to help make their dock look a little more uniform with everything else.
Edit: After some small annoyances, I’ve switched my browser to Firefox and my editor to TextMate — they are better-built macOS apps! Also added a Music app icon.
So there is modified version of openwrt (called davidc502) that is meant to include a more updated set of wireless drivers for the radios in the linksys wrt32x router. It’s a pretty cool alternative that I’m glad exists which is trying to make the stability and performance better for these devices that are poorly supported by its creators. For example, I recorded the wifi module versions of openwrt vs davidc502 below:
However, one thing to note, when I first ran netstat on it I was surprised to see soo many running services listening on all kinds of ports, I had to go through and turn most of them off in the services tab manually:
Update: Firefox has an extension called “REDIRECTOR” and you can enter an extended regex to achieve similar results: https?://[^/]*(fbcdn|facebook)[^/]*\..*
The first extension I always install in Chrome is “uBlock Origin” of course to try and prevent as many wasteful ads as possible but it doesn’t specifically target entire web properties such as all of facebooks sub domains that exist out there (for example, if someone puts a fb image or like button on their site and your browser loads that content, it’s another signal they can use with your information even though I don’t have a fb account).
I found a cool extension for Chrome called “Domain Blocker” which lets you specify wildcard sub domain names in a simple list to block any web requests at the browser level directly (no messy etc/hosts file setups or maintenance needed). For example, you can grab a master list of facebook domain names and place some basic regex in it to produce a nice short list to block automatically:
If you are running a bridged/relayd network with macs on it you may need to also forward the multicast broadcasts (mDNS related) that allow the devices to automatically discover each other. On the WRT wifi client side, there is a pkg called avahi-daemon and you can configure to operate in “reflector” mode to forward these broadcasts across the specified interfaces. Running this service along with the dhcprb C program which takes care of layer 2 arp requests & dhcp gateway forwarding has been pretty smooth so far!
So it took me a while to update & re-write the dhcp relayd functionality that I made in python previously. This new C file can relay & rebroadcast both arp and dhcp packets via raw sockets. For DHCP relaying, it has to be able to insert the bridges IP address into the request so that the server replies back to us and then we can forward it on (so we can run only 1 dhcp server total on the network). The last interface specified in the list is designated as the dhcp server interface to send the requests coming in.
Also tried to reduce the number of system calls made by reading both the arp table proc file and routing table file instead (only 1 sys call to replace host route entries on the bridge router).
It’s been a while since I used select with multiple sockets but this compile uses less memory while running versus the python version, although the py version is easier to read and maintain (depends on your needs).
I was having troubles getting dnsmasq to be a simple DHCP relay/forwarder/proxy and I didn’t want to add this into the ARP relay C code to keep that as simple as possible so I wrote this little Python script that will basically bridge 2 interfaces together (one that has DHCP clients on it and one that is connected to the DHCP server [1 main server running for the whole network]).