MOX as WiFi Extender with Mesh Backhaul and Guest Network

I have configured MOX as a WiFi extender for my Omnia main router. It extends the home network and also hosts its own guest network (guest networks are isolated and don’t really need to be “extended”). I originally tried the Netboot recipe, but could not make it work. I then followed the OpenWrt Wireless Repeater/Extender guide which has references to WDS and 802.11s. Based on the MOX’s hardware capabilities I chose 802.11s. So my setup now has a LAN bridge with an 802.11s mesh backhaul. I will document it here so it may help someone. My Omnia and my MOX are both running Turris OS 6.5.1.

The LAN Bridge

On the Omnia

/etc/config/wireless

config wifi-iface 'mesh_0'
        option network 'lan'
        option mesh_rssi_threshold '0'
        option key '<mesh password>'
        option encryption 'sae'
        option device 'radio0'
        option mode 'mesh'
        option mesh_fwding '1'
        option mesh_id '<mesh name>'
        option ifname 'mesh0'

/etc/config/network

config device 'br_lan'
        <...>
        option macaddr '<unique MAC address>'
        option stp '1'

On the MOX

I set up the MOX as a “computer” in Foris and, after making below changes, connected to it via WiFi at its new IP address. I also had to update the WiFi firmware:

opkg install ath10k-firmware-qca988x

/etc/config/wireless

config wifi-iface 'mesh_0'
        option network 'lan'
        option mesh_rssi_threshold '0'
        option key '<mesh password>'
        option encryption 'sae'
        option device 'radio0'
        option mode 'mesh'
        option mesh_fwding '1'
        option mesh_id '<mesh name>'
        option ifname 'mesh0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option key '<home WiFi password>'
        option ifname 'wlan1'
        option mode 'ap'
        option encryption 'sae-mixed'
        option ssid '<home WiFi name>'

/etc/config/network

config interface 'lan'
        option device 'br-lan'
        <...>
        option netmask '255.255.255.0'
        option proto 'static'
        option gateway '<Omnia IP address>'
        option ipaddr '<MOX IP address in the home LAN>'
        list dns '<Omnia IP address>'

config device 'br_lan'
        <...>
        option macaddr '<unique MAC address>'
        option stp '1'

/etc/config/dhcp

config dhcp 'lan'
        option interface 'lan'
        <...>
        option ignore '1'
        list ra_flags 'none'

At this point the MOX was working as an AP for the home network and forwarding all traffic to the Omnia.

The Guest Network

I initially tried tunneling the guest network through the LAN bridge, but although I successfully established a VXLAN tunnel between the MOX and the Omnia, it did not have useful throughput. I followed the discussions on tweaking MTU settings, but eventually gave up in favor of a much simpler setup.

On the Omnia

Here we need a routing rule for return traffic to the MOX’s guest network:

/etc/config/network

config route
        option target '<MOX guest subnet>'
        option netmask '255.255.255.0'
        option gateway '<MOX IP address in the home LAN>'
        option interface 'lan'

On the MOX

This is the tricky part, and I did not find a way to do it with firewall zones, so it ended up here:

/etc/firewall.user

iptables -A forwarding_rule -i br-guest-turris -o br-lan '!' -d 192.168.0.0/16 -j ACCEPT

This is assuming you use class C networks, of course you can adjust. The point is to forward WAN traffic from the guest network to the default route without breaking guest network isolation. Otherwise the guest network is plain vanilla, has it’s own DHCP, and uses the local resolver’s DNS forward and the default route which are all set by the LAN.

1 Like