Posted: Sun Feb 18, 2024 15:02 Post subject: R9000 - Bridge WLAN to WAN
I don't think this is really a weird configuration but I'm just not finding the right combination of settings to make it work.
I have a dedicated OPNSense firewall supporting my internet connection, a Pi-Hole handling DHCP and DNS, and a pair of Asus ET12s providing my mesh for Wifi6/6E (the ET12s replaced an R9000 that wasn't providing reliable coverage to the whole house).
I'd like to press the R9000 back into service for a very specific purpose, with these two requirements:
All wired ports and wireless access points on the R9000 would be part of the same IP subnet as the firewall's LAN adapter (ex. network 10.0.0.0/24)
The R9000 and all its wired/wireless attached devices would obtain their IP addresses and other DHCP configuration values from the Pi-Hole
I've tried disabling the WAN adapter and bridging it to the LAN, that doesn't seem to provide wifi access. And the R9000 does not seem to request an IP address from the Pi-Hole.
Is this possible? The ET12s (using the stock firmware) have a very simple toggle for this sort of use, but they're not really relevant to the problem I'm attempting to solve.
And I'm running v44715 on the R9000. I'm going to try something more recent ...
Settings look pretty much the same, so I'm still confused as to exactly what needs to happen. I do have the DHCP server turned off in the configuration and I've disabled the WAN port but I don't see an option to bridge it to the LAN on the same page (different behavior from 44715).
Joined: 16 Nov 2015 Posts: 6447 Location: UK, London, just across the river..
Posted: Sun Feb 18, 2024 15:52 Post subject:
if your DHCP and DNS is elsewhere as you stated the PI hole...than you need to set router as a WAP...
disable the WAN and set where is says Local DNS the DNS you want to point to...also disable DNS masq DNS...and DHCP...if all is ok you should be ok...
R9000 has a complex switch and difficult to deal with...
dont think you can add the WAN to switch...but you can try...
WAP in Gateway mode...
(EGC WAY) WAP
I setup a WAP like this:
A WAP is a secondary router connected wired LAN<>LAN on the same subnet as the primary router.
Setup:
• On Basic Setup page:
o WAN disabled
o DHCP server Disabled (=off and NOT set as Forwarder!)
o Local IP address in subnet of primary router but outside DHCP scope, make sure the used IP address is unique on your network you cannot have duplicates.
o Gateway and Local DNS pointing to primary router (Basic Setup>Network Setup)
• Keep DNSMasq enabled (both on Basic Setup page and Services page)
• On Setup > Advanced Routing, keep Operating mode in the default Gateway (the wiki says Router mode but do not do that, either it does not matter (this case) or break things)
• On Security > Firewall keep the SPI Firewall enabled, although you do not want a firewall it will be automatically disabled as there is no WAN so no need to change this setting form default.
• Connect LAN <> LAN (do not use the WAN port unless you really need that extra port, for most routers traffic still must use the CPU so performance is lacklustre and there are some routers where the WAN port is not added to the br0 so the WAN port could be non-functional on some routers).
Note:Only For Broadcom routers for best throughput enable CTF on Basic Setup Page
You have to add the following rule to the firewall in order to get internet access from clients attached to the VAP/Bridge.
In the web-interface of the router (the WAP): Administration > Commands save Firewall:
#Always necessary (alternatively set static route on main router and NAT traffic from VAP/Bridge out via WAN):
Code:
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to $(nvram get lan_ipaddr) _________________ Atheros
TP-Link WR740Nv1 ---DD-WRT 55630 WAP
TP-Link WR1043NDv2 -DD-WRT 55723 Gateway/DoT,Forced DNS,Ad-Block,Firewall,x4VLAN,VPN
TP-Link WR1043NDv2 -Gargoyle OS 1.15.x AP,DNS,QoS,Quotas
Qualcomm-Atheros
Netgear XR500 --DD-WRT 55779 Gateway/DoH,Forced DNS,AP Isolation,4VLAN,Ad-Block,Firewall,Vanilla
Netgear R7800 --DD-WRT 55819 Gateway/DoT,AD-Block,Forced DNS,AP&Net Isolation,x3VLAN,Firewall,Vanilla
Netgear R9000 --DD-WRT 55779 Gateway/DoT,AD-Block,AP Isolation,Firewall,Forced DNS,x2VLAN,Vanilla
Broadcom
Netgear R7000 --DD-WRT 55460 Gateway/SmartDNS/DoH,AD-Block,Firewall,Forced DNS,x3VLAN,VPN
NOT USING 5Ghz ANYWHERE
------------------------------------------------------
Stubby DNS over TLS I DNSCrypt v2 by mac913
Well it looks like adding the WAN port to br0 worked. And the R9000 was assigned an IP address by the Pi-Hole. Wired and wireless LAN connections through the R9000 are working too.
I'd read MANY times that the R9000 was squirrely for bridging, but that was a couple of years and two R9000 replacements ago. I assumed it would continue to be worked on.
