Assumptions on the setup:
- Router 1 (Main): Handles DHCP and Routing.
- Router 2 (Dumb AP): Uplink cable is in Port 1. CPU is Port 6.
- VLAN 1: Management / Home Network (Untagged on wire).
- VLAN 5: Guest Network (Tagged on wire).
Edit /etc/config/network. Replace the entire file content with this (adjusting the ipaddr for VLAN 1 to match your main network).
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd00::/48'
# -----------------------------------------------------------
# 1. SWITCH CONFIGURATION (Hardware Layer)
# -----------------------------------------------------------
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
# VLAN 1: Management & Home Network
# We use '1' (untagged) on Port 1 because main routers usually send VLAN 1 untagged.
# We use '6t' (tagged) for CPU so the OS distinguishes it.
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 6t' # 1 is Uplink, 6t is CPU
# VLAN 5: Guest Network
# We use '1t' (tagged) on Uplink so it reads the tag from Router 1.
# We use '6t' (tagged) on CPU so the OS receives the tag.
config switch_vlan
option device 'switch0'
option vlan '5'
option ports '1t 6t' # 1t is Uplink, 6t is CPU
# -----------------------------------------------------------
# 2. INTERFACE CONFIGURATION (OS Layer)
# -----------------------------------------------------------
# LAN Interface (Management / Home WiFi)
# This has a Static IP so you can access the AP settings.
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1' # Matches VLAN 1
option proto 'static'
option ipaddr '192.168.1.2' # <--- CHANGE THIS to a free IP in your main subnet
option netmask '255.255.255.0'
option gateway '192.168.1.1' # Main Router IP
option dns '192.168.1.1'
# GUEST Interface (Pure Bridge)
# This does NOT need an IP address. It just acts as a pipe.
# Traffic flows: Wi-Fi <--> Bridge <--> eth0.5 <--> Router 1
config interface 'guest'
option type 'bridge' # <--- Mandatory for bridging WiFi
option ifname 'eth0.5' # <--- Use 'ifname' for swconfig, NOT 'device'
option proto 'none' # <--- No IP needed on the AP itself
Edit /etc/config/wireless. Ensure your option network lines match the interface names defined above (lan and guest).
# RADIO 0 (Usually 2.4GHz or 5GHz depending on hardware)
config wifi-device 'radio0'
option type 'mac80211'
option channel 'auto'
option path 'platform/10180000.wmac' # Don't change your existing path
option htmode 'HT20'
# 1. HOME WIFI (Mapped to 'lan' interface)
config wifi-iface 'default_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'Home_WiFi'
option encryption 'psk2'
option key 'YourPassword'
option network 'lan' # Bridges to eth0.1 (VLAN 1)
# 2. GUEST WIFI (Mapped to 'guest' interface)
config wifi-iface 'guest_radio0'
option device 'radio0'
option mode 'ap'
option ssid 'Guest_WiFi'
option encryption 'psk2'
option key 'GuestPassword'
option network 'guest' # Bridges to eth0.5 (VLAN 5)
option isolate '1' # Prevents guests from talking to each other
Since Router 1 handles all the heavy lifting (DHCP, DNS, Firewall), you must disable these on the Dumb AP to prevent conflicts.
Run these commands in the terminal:
# 1. Disable DHCP Server (Dnsmasq)
/etc/init.d/dnsmasq disable
/etc/init.d/dnsmasq stop
# 2. Disable DHCP via ODHCPD
/etc/init.d/odhcpd disable
/etc/init.d/odhcpd stop
# 3. Disable Firewall (Saves CPU, not needed for a bridge)
/etc/init.d/firewall disable
/etc/init.d/firewall stop
# 4. Apply Network Changes
/etc/init.d/network restart
After the network restarts, run this command to prove the bridge is active:
brctl show
You should see this output:
bridge name bridge id STP enabled interfaces
br-lan 8000.xxxxxxxxxxxx no eth0.1
wlan0
br-guest 8000.xxxxxxxxxxxx no eth0.5
wlan0-1
Success Criteria:
br-guestexists.eth0.5is listed under it (The wire).wlan0-1is listed under it (The wireless radio).
If you see both interfaces under br-guest, your clients will get an IP address from Router 1.