What's new

VLAN and blocking WAN access to WiFi Guest

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

_Frank_

New Around Here
Hi, this is a long/detailed question with the hope to minimize follow-up questions.

I’m about to get crazy with this issue and I would really appreciate help.
My setup is:
ISP -> router running OpenWRT (OpenWrt 21.02.5) -> Trunk (vlan 1, 3t, 4t) -> RT-AC68U (Merlin FW 386.9, AP mode) -> WiFi Clients
The openWRT router has been configured with vlan 1 for LAN devices , 3 for guest devices and 4 for IoT (no WAN access with firewall rule).
VLAN are configured with DSA framework. I followed these video to get started:
These videos explains how to define firewall rules so IoT_Zone doesn’t get WAN access (basically no fowarding rule)
1675999441465.png


LAN is on 192.168.1.x
IoT is on 10.10.40.xxx, DHCP server enabled, VLAN4
When I test the configuration of OpenWRT router for VLAN 4 (by using one LAN port setup on the VLAN) I get the expected behaviour:
Client device get’s an IP in 10.10.40.xx and no internet access.
LAN devices can access IoT zone as expected.

RT-AC1900P (same as AC68U) has a 5-ports switch. Port 0 goes to WAN connector, port 5 to CPU (host)
It is configured in AP mode (not router)
My switch configuration is as follow:
robocfg vlan 1 ports "0 1 2 5t"
robocfg vlan 3 ports "0t 3 5t"
robocfg vlan 4 ports "0t 4 5t"
I have validated that connecting a device in LAN port 4 gives me a dynamic IP in 10.10.40.xx range as expected. This client cannot access internet as expected.

So from a VLAN/ethernet switch/firmwall point of view, everything seems to be working as expected.

Now with the following script, I setup all WiFi guest network to be part of vlan3 or vlan4.
Code:
script="/jffs/scripts/services-start"

tee "${script}" > /dev/null << EOF
#!/bin/sh

# multi SSID with VLAN script, for ASUS AC68U/AC1900P with merlin
#
# setup before hand:
#       set "router" to "AP Mode"
#               this will put all ports and wireless in br0
#       create 2+ guest network
#       enable Administration => System => Enable JFFS custom scripts and configs
#       put this script in /jffs/scripts/, name should be "services-start"
#               remember `chmod 775 services-start`
#       reboot
# Original AP mode:
#       eth0 sw port 0 => UPLink/WAN
#       eth0 sw Port 5 => CPU/HOST port (vlan 1 and 2 tag)
#       eth0 sw port 1-4 => LAN port 1-4
#       eth1 => WiFi 2.4G
#       eth2 => WiFi 5G
#       wl0.n => WiFi 2.4G guest
#       wl1.n => WiFi 5G guest
# This setup:
#       UPLink/WAN port (eth0 sw port 0) as a tagged port
#       LAN ports (eth0 sw 1-2) and primary WiFi (eth1,2) will be on VLAN 1
#       eth0 sw port 1-2 => LAN port 1-2
#       eth0 sw port 3 => LAN port 3, (vlan3)
#       eth0 sw port 4 => LAN port 4, (vlan4)
#       br0 => LAN (vlan1)
#       br1 => Guest LAN (vlan3)
#       br2 => IoT LAN (vlan4)
#       wl0.1 => WiFi 2.4G guest (vlan3)
#       wl1.1 => WiFi 5G guest (vlan3)
#       wl0.2 => WiFi 2.4G IoT (vlan4)
#       wl1.2 => WiFi 5G IoT (vlan4)
#
(
echo "============== START: $(date) =================="
#ip a >> /jffs/scripts/log
#ip r >> /jffs/scripts/log

# remove interfaces we're gonna move to other bridges
brctl delif br0 wl0.1
brctl delif br0 wl0.2
brctl delif br0 wl1.1
brctl delif br0 wl1.2

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set br0_ifnames="vlan1 eth1 eth2"

# Remove SW port4 from vlan1
robocfg vlan 1 ports "0 1 2 5t"
robocfg vlan 3 ports "0t 3 5t"
robocfg vlan 4 ports "0t 4 5t"

# Add VLANs
#ip link add link eth0 name vlan3 type vlan id 3
#ip link add link eth0 name vlan4 type vlan id 4
vconfig add eth0 3
vconfig add eth0 4

#ip link set vlan3 up
#ip link set vlan4 up
ifconfig vlan3 up
ifconfig vlan4 up

brctl addbr br1
brctl addif br1 vlan3
brctl addif br1 wl0.1
brctl addif br1 wl1.1
ip link set br1 up

nvram set lan1_ifnames="vlan3 wl0.1 wl1.1 "
nvram set br1_ifnames="vlan3 wl0.1 wl1.1"
nvram set lan1_ifname="br1"
nvram set br1_ifname="br1"

nvram set wl0.1_ap_isolate=1
wl -i wl0.1 ap_isolate 1

brctl addbr br2
brctl addif br2 vlan4
brctl addif br2 wl0.2
brctl addif br2 wl1.2
ip link set br2 up

nvram set lan2_ifnames="vlan4 wl0.2 wl1.2 "
nvram set br2_ifnames="vlan4 wl0.2 wl1.2"
nvram set lan2_ifname="br2"
nvram set br2_ifname="br2"


killall eapd && eapd

robocfg show
brctl show
ip a
ip r

) 2>&1 | tee -a /jffs/scripts/logfile.log
EOF

chmod 775 "${script}"

I have tried with both :
“ip link add link eth0 name vlan4 type vlan id 4” or “vconfig add eth0 4” since some users mentionned ip command may not work on all routers.

And this is the log file:
Code:
admin@RT-AC1900P-7980:/jffs/scripts# ll
-rw-rw-rw-    1 admin    root          3764 May  5  2018 logfile.log
-rwxrwxr-x    1 admin    root          2777 Feb 10 01:55 services-start*
admin@RT-AC1900P-7980:/jffs/scripts# cat logfile.log
============== START: Fri Feb 10 01:55:46 GMT 2023 ==================
interface wl1.2 does not exist!
interface wl1.2 does not exist!
Switch: enabled
Port 0: 1000FD enabled stp: none vlan: 1 jumbo: off mac: xx:xx:xx:xx:89:e8
Port 1: 1000FD enabled stp: none vlan: 1 jumbo: off mac: xx:xx:xx:xx:9d:1d
Port 2:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 3: 1000FD enabled stp: none vlan: 3 jumbo: off mac: xx:xx:xx:xx:23:75
Port 4:   DOWN enabled stp: none vlan: 4 jumbo: off mac: 00:00:00:00:00:00
Port 5: 1000FD enabled stp: none vlan: 1 jumbo: off mac: xx:xx:xx:xx:79:80
Port 7:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
Port 8:   DOWN enabled stp: none vlan: 1 jumbo: off mac: 00:00:00:00:00:00
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 0 1 2 5t
   2: vlan2: 5t
   3: vlan3: 0t 3 5t
   4: vlan4: 0t 4 5t
bridge name    bridge id        STP enabled    interfaces
br0        8000.xxxxxxxx7980    no        vlan1
                            eth1
                            eth2
br1        8000.xxxxxxxx7980    no        vlan3
                            wl0.1
                            wl1.1
br2        8000.xxxxxxxx7980    no        vlan4
                            wl0.2
1: lo: <LOOPBACK,MULTICAST,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
    inet 127.0.1.1/8 brd 127.255.255.255 scope host secondary lo:0
2: ifb0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether xx:xx:xx:xx:c5:cc brd ff:ff:ff:ff:ff:ff
3: ifb1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN qlen 32
    link/ether xx:xx:xx:xx:4d:f3 brd ff:ff:ff:ff:ff:ff
4: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
5: dpsta: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
6: eth1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
7: eth2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether xx:xx:xx:xx:79:84 brd ff:ff:ff:ff:ff:ff
8: vlan1@eth0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
9: vlan2@eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
10: br0: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br0
11: wl0.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether xx:xx:xx:xx:79:81 brd ff:ff:ff:ff:ff:ff
12: wl0.2: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether xx:xx:xx:xx:79:82 brd ff:ff:ff:ff:ff:ff
13: wl1.1: <BROADCAST,MULTICAST,ALLMULTI,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether xx:xx:xx:xx:79:85 brd ff:ff:ff:ff:ff:ff
14: vlan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
15: vlan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
16: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
17: br2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
    link/ether xx:xx:xx:xx:79:80 brd ff:ff:ff:ff:ff:ff
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
127.0.0.0/8 dev lo  scope link

Finally, I confirmed that the AP I am connecting to has the proper wl** link:
admin@RT-AC1900P-7980:/jffs/scripts# nvram show |grep -i iot
wl0.2_ssid=IoT2

A WiFi client connecting to IoT network will receive an IP address in the 10.10.40.xx range, but it will be able to access the internet, and this is my problem. I have reviewed my script many times and the results of robocfg, brcfg, etc.. I tried different tweeks, I cannot get the expected result.
Client connected to wl0.2 (IoT zone) should not be able to access outside my home network.

My script is setup to use wl1.2 (2nd 5GHz Guest Network), but it's not configured yet. I tried removing it from the script but didn't solve the problem so I put it back in the script (reason for the error msg in the log file).


Do you have any hints on how to troubleshoot?
Thanks in advance.
 
Last edited:
As you're only using the Asus as an AP I suggest you use a firmware on it that actually supports VLANs, like OpenWRT or FreshTomato.
 
Hi Colin,
OpenWRT would have been perfect for me since I know it better, but unfortunately, this router uses Broadcom chipset and "WiFi for the AC68U is completely unsupported!"
I haven't check for FreshTomato (dd-wrt, etc) since I would prefer to stay with OS I already know well.
I have used Merlin on this router for many years now and I'm satisfied, except that not I wanted to improve my LAN setup.
 
Hi Colin,
OpenWRT would have been perfect for me since I know it better, but unfortunately, this router uses Broadcom chipset and "WiFi for the AC68U is completely unsupported!"
I haven't check for FreshTomato (dd-wrt, etc) since I would prefer to stay with OS I already know well.
I have used Merlin on this router for many years now and I'm satisfied, except that not I wanted to improve my LAN setup.

Another option is to totally reset it, make sure you are on 386 code (386.7_2 is my recommendation). Then enable guest wireless 1, which should create VLAN 501 and 502 for you after another reboot. Then you can just use robocfg to decide where you want to tag those VLANs back to your main router or what physical ports you want in them, etc. This is what I'm doing with my AC68U. VLAN 501 is the 2.4Ghz Guest and VLAN 502 is the 5ghz guest but you can use brctl to move them around as you wish. VLAN 1 is the main wifi network still. Basically doing it that way takes care of a lot of the work for you.

If you want to stick with your own VLANs you're going to need to use vconfig, ifconfig (to turn up the new vlan interfaces you created), brctl, and robocfg. And ideally also update the NVRAM lan_ifnames, lan1_ifnames, lan2_ifnames etc.

I'm not 100% sure if you configure it as an AP if it still creates those VLANs, I've seen reports both ways. Maybe APs that are part of AiMesh get them and others don't, not totally sure.

I don't think you need IP link commands as those are used more for the HND chipset routers, what you want should be able to be accomplished with the commands above.
 
Hi,
I made my script based on different post (this forum and other) and links such as these ones:
They all went with AP mode configuration and made a "services-start" script adapted to their router's particular HW construction.

With people mentioning they got successful results, I was under the impression that I might have missed configured one nvram value or something like this in my script.
But what I read from you suggestions is that there are little chances that Merlin could realize what I'm looking for.

With proper use of brcfg, vconfig and nvram values, what could prevent Merlin FW from properly route/tag some packets to the proper vlan while some others get'ss properly routed.
Thanks
 
Hi,
I made my script based on different post (this forum and other) and links such as these ones:
They all went with AP mode configuration and made a "services-start" script adapted to their router's particular HW construction.

With people mentioning they got successful results, I was under the impression that I might have missed configured one nvram value or something like this in my script.
But what I read from you suggestions is that there are little chances that Merlin could realize what I'm looking for.

With proper use of brcfg, vconfig and nvram values, what could prevent Merlin FW from properly route/tag some packets to the proper vlan while some others get'ss properly routed.
Thanks

NVRAM is really only for telling the router what to use for stats, etc, they should be correct but shouldn't stop it from working.

Did you use ifconfig to turn the new interfaces up? This works fine on merlin so you just have to find what you missed.

Nothing will get routed in AP mode, the router portion is disabled when configured as an AP.
 
Thanks for your clarifications DrinkingBird,

First you are right, I used the work "routed/tag" to describe the flow of packets. It's not the proper wording since my AC68U is configured in AP mode. But I simply wanted to describe the way packets some packets seemed to be properly tag with vlan4, while some others aren't,

I have realized that some SoC work's with ip link** while the BCM47XX might work better with ifconfig/vconfig so this is what I currently use in my script.

I wasn't sure if setting nvram vars such vlan1ports, vlan4ports, etc would help with my problem.

There are other nvrams such as vlan_enable=0, vlan_rulelist=***, etc. that I could try to alter, but couldn't find any reason to do so.

I just made another test, I reset the router so that all ifaces statistics get's reset.

I connected my phone to my IoT AP (wl0.2, vlan4) and started a speedtest of fast.com


ifaces/vlans*/br*/wl** that have nothing to do with vlan4 have few kB of data.

In regards to download part of the test: eth0 (trunk port) have received 88MB, vlan4 Rx 88MB, wl0.2 have sent 88MB. This all makes sense.

In regards to the upload part of the speed test: eth0 sent 50MB, wl0.2 received 49MB, vlan4 sent (from wl0.2 to eth0) 39MB, but 9MB were sent from wl0.2 to vlan1 to eth0.

That’s exactly my problem. Why, during the upload test, did 9MB out of the 50MB were sent from wl0.2 through vlan1 instead of wl0.2 -> vlan4 ?

On my main router, I get the same picture, about 9MB out of 50MB were received from vlan1 (instead of being received from vlan4)

The last cause I have in mind (from similar questions on this forum) is that NAT acceleration could bypass the vlan tagging. Could this be the problem? and if so, how can I test this ?

Regards.
 
Thanks for your clarifications DrinkingBird,


The last cause I have in mind (from similar questions on this forum) is that NAT acceleration could bypass the vlan tagging. Could this be the problem? and if so, how can I test this ?

Regards.

If you have an HND chipset you have to disable hardware acceleration for VLANs, but if you're using robocfg then it isn't HND and you shouldn't have to change it, mine has CTF enabled and is working fine. You could try it as a test though. I'm running an RT-AC1900 (non P) and VLANs work fine using robocfg, brctl, vconfig, and ifconfig. I've actually since revised it to make use of the built in 501 and 502 VLANs so all I have to use is robocfg as everything else is done for me.

Looking at your config above, I can see one issue right away, you have VLAN 1 and 3 both assigned to port 3 with no tagging. That could certainly explain why you're seeing traffic get split up. You should only have one untagged vlan on a port. Though if you aren't using port 3 then maybe that isn't hurting anything, not sure what you have connected where.

I don't have a spare router that I can wipe into AP mode to see what it looks like but back when I was doing my own VLAN, here are some of the commands I had to run. Granted I think I may have already had BR1 at that point as that was the guest bridge, so you might have to create that bridge

vconfig add eth0 999
ifconfig vlan999 up
brctl addif br1 vlan999 or maybe it was eth0.999
.
Then I added vlan999 or eth0.999 to the lan1_ifnames and some other NVRAM stuff. Honestly that was quite a while ago so I don't remember everything precisely.

Some have noted having to run "killall eapd" followed by "eapd" to restart that process after doing all the configs, though I did not find that necessary.

If there was some way for you to get the aimesh node config onto it with Guest Wireless 1 enabled you'd probably see exactly what you need to do, as it will have VLANs 501 and 502 configured and you can reverse engineer it. I'm assuming the configs when in router mode are somewhat different. But I don't know if that is possible, to tell it to be a node when you don't have a master. Assuming you're running 386 code base (386.7_2 is latest) when you select "Access Point(AP) mode / AiMesh Router in AP mode" and enable guest wireless 1 and restart, does it not create the 501/502 vlans?

Since there is no routing or firewall involved it should be pretty straightforward.
 
Hi DrinkingBird,
Good catch about sw port3 (untagged in 2 places). Although it did not solved my problem - since it's related to vlan4.

I made copies of the original router's config before changing the mode to AP (fresh nvrams) and for this FW version (Merlin FW 386.9), their was no vlan 501/502.
Code:
VLANs: BCM5301x enabled mac_check mac_hash
   1: vlan1: 1 2 3 4 5t
   2: vlan2: 0 5
admin@RT-AC1900P-7980:/tmp/home/root# brctl show
bridge name    bridge id        STP enabled    interfaces
br0        8000.b06ebf567980    yes        vlan1
                            eth1
                            eth2
admin@RT-AC1900P-7980:/tmp/home/root# cat /proc/net/vlan/config
VLAN Dev name     | VLAN ID
Name-Type: VLAN_NAME_TYPE_PLUS_VID_NO_PAD
vlan1          | 1  | eth0
vlan2          | 2  | eth0
admin@RT-AC1900P-7980:/tmp/home/root# ebtables --list
Bridge table: filter

Based on other thread on this forum (ex. https://www.snbforums.com/threads/please-help-with-vlan-tagging-for-wap-use.78975/)
I think I'll give up using Merlin for my use case. It's a shame because I have found many versions of similar scripts and they seemed to work for their authors.

Thanks for your help anyway.
 
Hi DrinkingBird,
Good catch about sw port3 (untagged in 2 places). Although it did not solved my problem - since it's related to vlan4.

I made copies of the original router's config before changing the mode to AP (fresh nvrams) and for this FW version (Merlin FW 386.9), their was no vlan 501/502.

Those VLANs don't get created until you enable Guest Wireless 1, and I think even had to reboot before they were fully configured. They should also be created on an AiMesh node that has GW1 enabled, giving you basically exactly what you need, but not sure if it is possible to configure an AIMesh node without a master. But just from the configs created when in router mode you should see most of what you need.

I'm sure you're almost there, others have it working, probably just a matter of trying it piece by piece or finding another small error, but if not willing to troubleshoot and fiddle with it then yeah you'll need to look for something else to do what you need.
 
Hi everyone,
I wanted to follow-up on this thread in case someone has similar issue as I had.
I finally decided to do the big jump and switch to FreshTomato firmware (2023.1 K26ARM).
I carefully erased nvram before and after updating the FW.
It didn't took too much time to find how to disable WAN0 and setup the 3 bridges interfaces, create the 3 VLAN, configure the switch ports vlans with the UI.
Then assigning each virtual wlan to the appropriate bridge interface was very easy.
After doing all this, my IoT AP was now working as expected (Internet access blocked by my main router's firewall rules.
I then reviewed the settings with robocfg and brcfg. Everything was setup as my script was doing (updated above to correct port 3 assignation).
Apart from nvram variables, the only difference that I could see between all examples I have found for the script on Merlin and what FreshTomato does, is that FreshTomato force us to provide a fixed IP address to each BR interfaces.
With Merlin (and some other examples I have seen with OpenWRT as "subordinate AP"), the BR could get their IP address with DHCP. Since FreshTomato doesn't seem to have DCHP client, we are forced to set static IP to each BR interfaces.
I don't know if this is the reason why it's working or it's because if a nvram that I though was not relevant.
 
Hi everyone,
I wanted to follow-up on this thread in case someone has similar issue as I had.
I finally decided to do the big jump and switch to FreshTomato firmware (2023.1 K26ARM).
I carefully erased nvram before and after updating the FW.
It didn't took too much time to find how to disable WAN0 and setup the 3 bridges interfaces, create the 3 VLAN, configure the switch ports vlans with the UI.
Then assigning each virtual wlan to the appropriate bridge interface was very easy.
After doing all this, my IoT AP was now working as expected (Internet access blocked by my main router's firewall rules.
I then reviewed the settings with robocfg and brcfg. Everything was setup as my script was doing (updated above to correct port 3 assignation).
Apart from nvram variables, the only difference that I could see between all examples I have found for the script on Merlin and what FreshTomato does, is that FreshTomato force us to provide a fixed IP address to each BR interfaces.
With Merlin (and some other examples I have seen with OpenWRT as "subordinate AP"), the BR could get their IP address with DHCP. Since FreshTomato doesn't seem to have DCHP client, we are forced to set static IP to each BR interfaces.
I don't know if this is the reason why it's working or it's because if a nvram that I though was not relevant.

You mean the bridge interfaces on the router not the AP? If so then yes, as far as I know each VLAN or bridge needs a static IP assigned so that the DHCP request knows what pool to use.

On the AP the interfaces should not need IPs at all, not even DHCP. In fact giving them an IP may interfere.
 
I had to set IP address for each BR interface on the AP. As I understand it, FreshTomato doesn't have a dummy AP mode per say. You can disable the WAN functionality (routing) and re-assigne the WAN port as a LAN port, but you need provide IP address to each BR interfaces.
My main router can however be the DHCP sever for each VLAN (even for devices under my AP).
 
I had to set IP address for each BR interface on the AP. As I understand it, FreshTomato doesn't have a dummy AP mode per say. You can disable the WAN functionality (routing) and re-assigne the WAN port as a LAN port, but you need provide IP address to each BR interfaces.
My main router can however be the DHCP sever for each VLAN (even for devices under my AP).

Yeah I meant when you tried yourself before FT.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top