Create a routed Access Point with Raspberry Pi and OpenWrt

In this article, I will show you how to configure your Rapberry Pi into a routed WiFi access point. This configuration is a little bit more complicated than the configuration of my previous post that is available under this link.

In this configuration, the WiFi clients are on a different subnet than the management workstation. The Raspi will act as a router and forward all packets from the clients to the Lan network using Masquerading (Port Address Translation)

Schema

 

 

Get the current OpenWrt image

 

https://downloads.openwrt.org/releases/18.06.1/targets/brcm2708/bcm2710/

Take the current factory image (openwrt-18.06.1-brcm2708-bcm2710-rpi-3-ext4-factory.img.gz)

Burn the image with etcher

Change LAN IP address of Raspi

 

For this you will need to configure your management workstation IP address to 192.168.1.2 with subnet mask 255.255.255.0.

Then open a browser and access to the default IP of the Raspi (192.168.1.1)

By default, the password is empty.

Then, navigate to Network – Interfaces and edit LAN interface

Disable DHCP server on this interface

To apply this configuration, you will need to first click on “Save & Apply” and then force apply with “Apply unchecked”.

Your Raspi is now available under 192.168.0.30.

You can revert your management workstation Ip configuration to DHCP.

Begin by doing some cleanup

 

Open a browser and access to the new IP address of the Raspi (192.168.0.30)

Navigate to Network – Wireless and remove the default wireless SSID OpenWrt (see below)

Navigate to Network – Firewall, and under “General Settings” delete all Zones

Under “Traffic Rules” delete all Rules.

Create a new wireless SSID for Guest

 

Navigate to Network – Wireless and add a new SSID called Guest associated with a network called Guest too.

You should now have a brand new SSID (see below)

Configure the new Guest Interface

 

Navigate to Network – Interface and edit the newly created Guest Interface

Under General Setup, change the protocol from “Unmanaged” to “Static address”

Then click “Apply” and configure the IP address and the netmask of the Guest Interface

Assign a DHCP server to this interface.

Create firewall Zones for the interfaces

 

Navigate to Network – Interfaces and edit the LAN Interface

Under “Firewall Settings” create a new zone called LAN (notice that DHCP server should be disabled for the LAN interface)

Do the same for Interface Guest (notice that DHCP server should be enabled for the GUEST interface)

Configure the firewall

 

Navigate to Network – Firewall, you should now see two zones

Edit the zone Guest and configure it as bellow:

  • Name : guest
  • Input : accept
  • Output : accept
  • Forward : accept
  • Masquerading : unchecked
  • MSS clamping : unchecked
  • Covered Network : guest
  • Allow forward to destination zones : lan
  • Allow forward from source zones : empty

Edit the zone Lan and configure it as bellow:

  • Name : lan
  • Input : accept
  • Output : accept
  • Forward : reject
  • Masquerading : checked
  • MSS clamping : checked
  • Covered Network : lan
  • Allow forward to destination zones : empty
  • Allow forward from source zones : guest

The general setting should look like this

Click on “Save and Apply”

Navigate to Network – Wireless and enable the newly created SSID “Guest”

Then, check if it works by connecting a wireless device to the “Guest” SSID

That’s all folks

Leave a Reply

Close Menu