Todays subject is to set up a number of Wifi access points at our home, using a single SSID/password, and provide seamless roaming between them, so that f.ex. a skype-call would not be interupted while moving around, ie. handover to a new access-point should happen automatic and fast.
There will actually be 5 separate access point names on 2.4GHz and 5GHz on 3 different networks
- Wi5-ve, Wi2-ve gives access to our home-network, which is routed directly to the internet
- Wi5-da, Wi2-da will be routed via my Danish data-center
- FreeWifi is a password free network, which will be throtled down to 1 Mbit/s for visitors, good enough for checking e-mail, but not an invitation to my kids friend to sit and watch youtube while they are here.
This is based on:
- Netgear WNDR3800, 5 of these will be distributed around our home, you can currently get them on ebay for $20 – 680Mhz 128Mb RAM 16Gb DISK, 5 port gigabit switch, 2.4Ghz, and 5GHz wifi
- Openwrt 18.06, I have been a happy user for 12 years and openwrt is now better than ever
- 802.11r is the standard that makes it possible to do an access point handover in 50msec
- 802.1q vlans will be used in the interconnection between the access points.
- Wireguard will be used as VPN for trafic that should go via Denmark see linux/wireguard-vpn-mellem-mine-datacentre
- Shairport and an usb-soundcard will make each accespoint a base for sound distribution see /linux/shairport-sync-on-openwrt
- Future project
- Mysensors it would be nice to use this as a backbone for MySensors see /homeautomation/mysensors
- Cameras since we have USB-port available we might asswell use it
The four seconday routers are linke via gigabit ethernet to the primary router.
VLAN on our backbone home network
The backbone network is one flat network with the access points and switches connected up to the primary router, no redundancy, no loops, strictly hierarchical. Only servers desktops and printer under our control are connected to this, hence this is considered a trusted network. For an outsider to get access to this, they either need to connect in with a cable or hack one of our computer, which mostly run Linux, few Macs, but no Windows. All in all I am using these network sequences, internally, The outside world only ever see my Danish ip address or my US ip address:
zone | net | vlan | Wifi | Description |
lan | 192.168.2.0/24 | untagged | Wi5-ve Wi2-ve |
us backbone |
192.168.3.0/24 | dk backbone | |||
10.10.x.0/24 | laptops x using vpn not home | |||
guest | 10.0.4.0/24 | 4 | FreeWifi | isolated and throttled |
dk | 192.168.5.0/24 | 5 | Wi5-da Wi2-da |
routed via dk |
To make the configuration a little easier, and isolate (operator) errors, the functionality is spread out so that each router serves one network.
- 192.168.2.1 gateway all outgoing trafic, firewall, masqerading, portforwarding
- dhcp-server for 192.168.2.0/24 untagged vlan
- 192.168.2.2 kontor
- 192.168.2.3 workshop incoming wireguard server, for traveling laptops, including my datacenter in Denmark remote laptops have 10.10.0.0/16
- wireguard gateway to/from my danish backbone 192.168.3.0/24
- 192.168.2.4 stue
- dhcp-server for guest network 10.0.0.0/24 vlan4
- 192.168.2.5 wgdk all trafic routed via my datacenter in denmark
- dhcp-server for 192.168.5.0/24 vlan5
Configure network interfaces, switch and Wifi
Assuming the wndr3800 has a virgin installation of the newest Opewrt 18.06.1 the configuration can begin. First configure for password-less accesss, as I describe in linux/rsh-som-i-gamle-dage (for english version use translation button in upper left corner)
newssh root@192.168.2.1 newssh root@192.168.2.2 newssh root@192.168.2.3 newssh root@192.168.2.4 newssh root@192.168.2.5
This creates 5 new command under ~/bin so now we can execute any command on any of the routers or login to them without providing a password. You could ofcourse configure the routers via the WEB but I do not really have these tendensies.
Lets us have a look at /etc/config/wireless which is identical on all the routers:
$ 192.168.2.3 uci export wireless package wireless config wifi-device 'radio0' option type 'mac80211' option hwmode '11g' option path 'pci0000:00/0000:00:11.0' option country 'US' option channel 'auto' option htmode 'HT20' option legacy_rates '0' config wifi-device 'radio1' option type 'mac80211' option hwmode '11a' option path 'pci0000:00/0000:00:12.0' option country 'US' option disabled '0' option htmode 'HT40' option channel 'auto' option legacy_rates '0' config wifi-iface option device 'radio0' option mode 'ap' option key 'secret key' option network 'lan' option ssid 'Wi2-ve' option ieee80211r '1' option ft_over_ds '1' option encryption 'psk2+ccmp' option mobility_domain '1111' option ft_psk_generate_local '1' config wifi-iface option device 'radio1' option key 'secret key' option network 'lan' option mode 'ap' option ssid 'Wi5-ve' option ieee80211r '1' option ft_over_ds '1' option encryption 'psk2+ccmp' option mobility_domain '2222' option ft_psk_generate_local '1' config wifi-iface option mode 'ap' option device 'radio1' option network 'dk' option ssid 'Wi5-dk' option encryption 'psk2+ccmp' option key 'secret key' option ieee80211r '1' option ft_over_ds '1' option mobility_domain '3333' option ft_psk_generate_local '1' config wifi-iface option mode 'ap' option device 'radio0' option network 'guest' option ssid 'FreeWifi' option encryption 'none' option hidden '1' option isolate '1' config wifi-iface option mode 'ap' option device 'radio0' option network 'dk' option ssid 'Wi2-dk' option encryption 'psk2+ccmp' option key 'secret key' option ieee80211r '1' option ft_over_ds '1' option mobility_domain '4444' option ft_psk_generate_local '1' As you see there are two radios,
- radio0 is on 2.4GHz with 3 Wifi access points
- Wi2-us – zone: lan
- Wi2-dk – zone: dk
- FreeWifi – zone: guest
- radio1 is 5 GHz with 2 Wifi access points
- Wi5-us – zone: lan
- Wi5-dk – zone: dk
FreeWifi uses no encryption and has no password, but its speed is throttled, more about this in a future blogpost
The 4 other WiFi access-points use WPA2-PSK encryption and use 802.11r handover to the other routers which is setup in the same way, with the same mobility_domain associated with each network, you should probably use a different password and mobility domain for your network
This should be enough to enable roaming between your routers just disable the firewall on the secondary routers that do not connect to wan, and stick to a single zone lan and you should e ready to go.
I a future blogpost I will describe:
- how to throttle the FreeWiFi network
Stay tuned