How to setup two independent networks on Omnia

Hi,
I have two independent networks here, means two hardware routers and all the stuff around. What I would like to achieve is to get rid of the second (Linksys) router and keep everything running on Omnia. My current setup looks like this:


What I want it look like:

The thing is, I need to keep those two networks (my home network and Corp network) separated, independent, and they must not reach or interfere with each other in any way.

I tried to setup Omnia this way:
-starting from default settings
-deleted SSID from radio0 so there is “No network configured on this device” Qualcomm Atheros QCA9880 802.11bgnac (radio0)
-on https://192.168.1.1/cgi-bin/luci/admin/network/network/lan > Physical Settings > withdrawn (uncheck) Ethernet Adapter: “eth2” (lan)
-attached radio0 to Corporate WIFI and created new network “corp”
-on Physical settings of “corp” interface checked “create a bridge over specified interface(s)” and choosen Ethernet Adapter: “eth2” and Wireless Network: Client “corp wifi”

Also tried to create two Interfaces and assign one to Corp WIFI and one to LAN4 and create firewall forwarding.

I expected this would work, but the Corp Desktop was never able to reach Corp AP. The WIFI interface received IP address from Corp WIFI AP, but not so the Corp Desktop.

WiFi Corp and LAN4 ought to be bridged

doesn’t it do -on Physical settings of “corp” interface checked “create a bridge over specified interface(s)” and choosen Ethernet Adapter: “eth2” and Wireless Network: Client “corp wifi” ? LAN4 is on eth2

That should and that I missed and thus withdrew my comment. What Firewall zone is that bridge assigned to? It should permit DHCP (perhaps also DNS) pass through to the lan4 client.

If you can access the Linksys management interface then check whether there are particular settings required, e.g. IPsec or some other security measures.

You could also debug with a packet inspection (on the TO and/or the lan4 client) via tcpdump

It is not assigned a firewall zone. Correct me if I’m wrong, bridge works on OSI Layer 2 and forwards all frames, while doesn’t do anything on Layer 3 as a firewall.
On Corp WIFI there is no enterprise security, it is cheap SOHO router, only WPA2. I’m able to connect my laptop or phone with simply password only.
Yes I will do some more testing tomorrow…

In my humble understanding (wording borrowed)

A bridge does not need an IP address to function. Without one it will just perform layer 2 switching, spanning tree protocol and filtering (if configured).

An IP address is required if you want your bridge to take part in layer 3 routing of IP packets.

And if not mistaken DHCP is L7 on the OSI.

@xsys Could you confirm if my understanding is correct that the Linksys is a wifi client (not an AP) and that it essentially brings the corp desktop into the corp wifi as wifi client?
If so there are some gotchas in that you can’t just bridge wifi as client to a network unless you negotiate WDS ( https://en.wikipedia.org/wiki/Wireless_distribution_system ) or use L2 NAT (natting MAC addresses).
In addition you used eth2 which should work but some people had problems using the 2nd CPU port to go connect to any LAN ports.
In addition I’m not sure that the switch is configured to join LAN4 and the 2nd CPU port (port 6 / eth2) together. (sorry don’t have an Omnia handy straight away to check)

Also,

as soon as you share infrastructure there is always a possibility of impact.
The first I can think of is that by default you would have clients connecting on 5G and 2G wifi to the Omnia and after your config the clients can only use either but not both anymore.
Other instances are load on CPU could cause certain instability.
And as you are bridging via the CPU make sure you have a firewall rule in which denies traffic from the bridge and related interfaces to cross to any others. (yes, it is L2 but there are certain configurations possible where the Linux kernel may find L2 traffic on the bridge interesting enough to use the L3 information of the packets and forward them based on L3).

1 Like
vanilla TOS
config switch_vlan
      option device 'switch0'
      option vlan '2'
      option ports '4 6'
Had mine changed to
config switch_vlan
      option device 'switch0'
      option vlan '2'
      option ports '4 6t'
and on the bridge
config interface 'foo'
	option ifname 'eth2.2'
	option type 'bridge'

It is possible with kmod-trelay

trelay relays ethernet packets between two devices (similar to a bridge), but without any MAC address checks. This makes it possible to bridge client mode or ad-hoc mode wifi devices to ethernet VLANs, assuming the remote end uses the same source MAC address as the device that packets are supposed to exit from


That should not be a problem and AP + STA should work simultaneously but I am not 100% certain as not having tried it.

There is however a supplemental package available on that subject that though does not work on the TOS3.x and the developers made it clear of not backporting.

Interesting nugget from OpenWRT Wifi Extender or Repeater or Bridge Configuration

Since opensource wireless drivers used in LEDE do not support bridging in client mode, the traffic between LAN and the wireless client must be joined by routing it.

I hadn’t noticed that. That implies a plain bride wouldn’t work as default. (I use WDS mode or the STA as client and IP Nat like a standard home network setup with an ISP uplink).

Sounds like @xsys would need to follow the above article and he might be lucky to get it to work.
Side effect is that this could work for more than one corp desktop.

I also just noticed the

That could imply that the “corp” network isn’t set to bridge only but picks up DHCP which guarantees a collision.

I never got that to work reliably. But it is a while I’ve had a reason to try.
Note that the side effect is that you will share the same RF channel with all the side effects.
This is why I use an additional radio usually.

If I’m reading that correctly it works for a single crop desktop (which may be enough in this case) and it requires that the ethernet frame encapsulated in the Wifi frame has the correct destination address to the client. That may not be the case unless the STA address is the same as the MAC of corp desktop.

The background is that the AP gets a frame from LAN with an dest MAC. That dest MAC the AP needs to match to an STA to send the ethernet frame to. Usually that mapping is done by taking the dest MAC as STA destination. If the corp desktop uses an different MAC the AP wouldn’t know where to send it to and drop it (it will not flood to all STAs like a bridge would).

Let me answer what I know, one by one.

Yes Linksys is client, as shown on the first picture. It acts as a WIFI card for the Desktop, since the Desktop is out of the Corp WIFI range. It does not work as a WIFI-bridge, hence no WDS is utilized. It is set to mode “bridge” what means its WIFI and LAN interfaces are bridged.
I wanted the same setup work on Omnia, not WIFI-to-WIFI bridge but WIFI-to-LAN.

-Omnia has two harware WIFI cards working independently, in different mode. First I removed all networks from radio0 :

then I connected radio0 as a client to Corp WIFI:

on commandline it would be

network.corporate= interface
network.corporate.proto= dhcp

wireless.radio0
wireless.radio0.channel= 2

wireless.cfg063579= wifi-iface
wireless.cfg063579.bssid= 00:25:9C:xxxxxx
wireless.cfg063579.device= radio0
wireless.cfg063579.encryption= psk2
wireless.cfg063579.key= aaaaaaa
wireless.cfg063579.mode= sta
wireless.cfg063579.network= corporate
wireless.cfg063579.ssid= Corporate WIFI

result

so far so good

Now I switch the Corporate network from DHCP mode to Unmanaged

Now for the Switch and LAN ports:
-hardware: https://doc.turris.cz/doc/en/howto/vlan_settings_omnia
-software:

LAN4 is in VLAN2 with Port6 which is wired to eth2

Tell me where i’m wrong.

Now I switch Corporate network from this

to this

But what happens, at the moment the radio0 disassociate from Corp WIFI and does not work anymore

Last time I somehow managed to make the radio0 work (connect to Corp AP) but device connected to LAN4 was not able to reach anything anyway.

Can you please post /etc/config/network?
Did you remove eth2 from LAN before creating a new bridge?

Yes, eth2 removed from LAN.

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'

config interface 'lan'
	option force_link '1'
	option type 'bridge'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option delegate '0'
	option _orig_ifname 'eth0 wlan1'
	option _orig_bridge 'true'
	option ifname 'eth0'

config interface 'corporate'
	option force_link '1'
	option type 'bridge'
	option proto 'none'
	option _orig_ifname 'eth2 wlan0'
	option _orig_bridge 'true'
	option ifname 'eth2'

config interface 'wan'
	option ifname 'eth1'
	option proto 'pppoe'
	option username 'internet'
	option password 'internet'
	option ipv6 '0'
	option delegate '0'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

Btw. this is settings of the Linksys



For network layout please refer to my first picture in this thread.

I’m getting suspicious that LUCI web interface does not work properly and does not set the fields it is showing :open_mouth:

try with `luci-proto-relay`

Is this what you’re trying to do?
https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

Your Linksys configuration has a static IP address. Did you try that instead of Unmanaged?

yes, Linksys works fine with both static IP and DHCP, does not allow Unmanaged. On Omnia I tried all three settings but no luck