What features/functions are lost when converting to "AP mode" ?

[develox]

I've recently started to experiment with pure firewalls in my home network (Watchguard, ZyXEL, etc), and I'm hence pondering the idea of converting the role of my RT-AC68U from router to "AP mode".

It's though not clear to me what do I lose in terms of functionality in doing it.

In my current setup, I have for example NAT and DHCP active, and that's fine to change delegating to the other appliance. I assume DHCP clients' requests will transparently be routed to the firewall with no issues, while NAT will be handled by this latter as well (no point in double NATting).

I also use the Media Server and File Server. Though Entware, I use Transmission (and even have Snort installed, working in logging-only mode). I have isolated guest networks on both the 2.4 and 5GHz bands (not always using both of them concurrently). I also run openvpn server and client (this latter has post-boot configs in the jffs partition).

What do I lose of all this and anything else I can't think of in switching to AP mode ?

Thanks !
Peppe

 

[GoNz0]

Look at it this way, the LAN tab has IP, subnet, gateway and DNS, no other tabs.
Meda server is the same, no VPN or firewall tabs & Wireless is the same from what I can see.

 

[develox]

Look at it this way, the LAN tab has IP, subnet, gateway and DNS, no other tabs.
Meda server is the same, no VPN or firewall tabs & Wireless is the same from what I can see.

Thanks, that's enough to make me wonder if there's a way to accomplish the same result (let my main firewall/router handle NAT, DNS and DHCP) while still keeping the RT-AC68U in router mode.

 

[GoNz0]

as in turn off NAT and DHCP using the options in the settings

Ones under LAN > DHCP Server
and the other under WAN

And you can tell it what IP to look at for DNS, it is all there, you just need to look m8.

 

[develox]

as in turn off NAT and DHCP using the options in the settings

Ones under LAN > DHCP Server
and the other under WAN

And you can tell it what IP to look at for DNS, it is all there, you just need to look m8.

That's exactly what I've tried this morning briefly before starting to work (can't interrupt the network once I start). And it didn't work ... AC68U's clients didn't get IP addresses in the firewall's IP range (using its DHCP server) while of course the WAN side of the AC68U kept doing it and worked, and data was not routed from the AC68U's LAN side out of it. I suspect there's something more to this, perhaps in the routing area.

 

[ColinTaylor]

I believe there are other posts where users have had success by a) disabling DHCP and b) manually setting the routers IP address to something like 192.168.1.2. After that you need plug the Ethernet cable from your "real" router into one on the ASUS's LAN ports. Do not use the WAN port.

You should, in theory, retain all of the added features (media server, etc) but because you're using a LAN port the 2 devices are just connected as a switch (rather than a router).

The ASUS will probably get a bit confused because it is expecting to access the internet via the disconnected WAN port. So don't expect it to get NTP time for example.

 

[develox]

I believe there are other posts where users have had success by a) disabling DHCP and b) manually setting the routers IP address to something like 192.168.1.2. After that you need plug the Ethernet cable from your "real" router into one on the ASUS's LAN ports. Do not use the WAN port.

You should, in theory, retain all of the added features (media server, etc) but because you're using a LAN port the 2 devices are just connected as a switch (rather than a router).

The ASUS will probably get a bit confused because it is expecting to access the internet via the disconnected WAN port. So don't expect it to get NTP time for example.

HI Colin,

thanks for the suggestion. I'm looking for it with no luck so far, could you please point something out for my reading ?

 

[ColinTaylor]

I couldn't find anything definitive other than these perhaps:

http://www.smallnetbuilder.com/wire...onvert-a-wireless-router-into-an-access-point
https://www.google.co.uk/#q=convert+router+to+access+point+site:www.snbforums.com

I think it's pretty straight forward really.

First you need to manually configure your PC's IP settings because at some point in this process you'll probably be without a DHCP server.

Then you need to change the IP address of the "access point" to something like 192.168.1.2 (assuming your main gateway router is 192.168.1.1) and make sure it's excluded from the DHCP range on your "main" router/server. Reboot and make sure you can access it with the new IP address.

After that disable DHCP and UPnP (maybe disable WAN as well). Go through all of the GUI screens and disable any functions (like FTP, NFS, parental control, VPN, etc.) you're not using to minimise potential conflicts.

Connect the LAN ports of both devices and reboot everything. Reconfigure your PC network interface back to using DHCP and reboot.

That's it as far as I can think. You might have to fiddle about with things like Transmission, but you'll have to cross those bridges when you come to them.

 

[develox]

Hi Colin,

thanks for your suggestions. They indeed work, as far as having the Asus' switch directly connected to one of the main firewall's LAN. Yet, if I correctly understands, this is done at the expense of disconnecting the Asus' WAN interface (with all annexed services). I think my question should actually be re-formultad with something like "is it possible to use a device like the RT-AC68U as a normal router without NAT ?" (i.e. by having it's internal switch still going outbound via the WAN interface, but without any address translation done at that stage (it will be done by the main firewall anyway before reaching the public internet) ?

 

[ColinTaylor]

Hi,

The short answer is "I don't know". I don't have a setup like yours that I can test, but disabling NAT and the firewall looks like it might do what you want. You'll have to try it and see. My only thought is that it might not pass broadcast packets between the interfaces.

What "annexed services" are you talking about? I guess they're ones that access the internet? If so you could probably leave things as they are but just add a default route on the ASUS to your gateway device. The ASUS won't have one in its current configuration so any services running on it probably don't know how to get to the internet.

# ip route add default via 192.168.1.1

Assuming your gateway is 192.168.1.1

 

[develox]

but disabling NAT and the firewall looks like it might do what you want.

Indeed, but it doesn't work. The problem in doing so it's not that the annexed services don't work, they actually do. I can even reach my work server via the VPN from a PC wired to the Asus' switch. The WAN side of the Asus if perfectly connected to the public internet (I can make test ping outside from an SSH terminal into the router).
The problem is rather the opposite: it's the Asus' internal switch traffic (LAN) that doesn't make it through the WAN interface, and it's then isolated. From the point of view of a LAN client in the Asus' switch, no NAT means no internet.
As the subject of the discussion has changed to "how to properly disable NAT and still have the router working normally", I've opened a specific threads for this.

Thanks a lot Colin for your attention up to this point.