Wifi – Multiple Access points with roaming – part1

Todays subject is to set up a number of Wifi access points at our home, using a single SSID/password, and provide seamless roaming between them, so that f.ex. a skype-call would not be interupted while moving around, ie. handover to a new access-point should happen automatic and fast.

There will actually be 5  separate access point names on 2.4GHz and 5GHz on 3 different networks

  • Wi5-ve, Wi2-ve gives access to our home-network, which is routed directly to the internet
  • Wi5-da, Wi2-da will be routed via my Danish data-center
  • FreeWifi is a password free network, which will be throtled down to 1 Mbit/s for visitors, good enough for checking e-mail, but not an invitation to my kids friend to sit and watch youtube while they are here.

This is based on:

  • Netgear WNDR3800, 5 of these will be distributed around our home, you can currently get them on ebay for $20 – 680Mhz 128Mb RAM 16Gb DISK, 5 port gigabit switch, 2.4Ghz, and 5GHz wifi
  • Openwrt 18.06, I have been a happy user for 12 years and openwrt is now better than ever
  • 802.11r is the standard that makes it possible to do an access point handover in 50msec
  • 802.1q vlans will be used in the interconnection between the access points.
  • Wireguard will be used as VPN for trafic that should go via Denmark see linux/wireguard-vpn-mellem-mine-datacentre
  • Shairport and an usb-soundcard will make each accespoint a base for sound distribution see /linux/shairport-sync-on-openwrt
  • Future project
    • Mysensors it would be nice to use this as a backbone for MySensors see /homeautomation/mysensors
    • Cameras since we have USB-port available we might asswell use it

The four seconday routers are linke via gigabit ethernet to the primary router.

VLAN on our backbone home network

The backbone network is one flat network with the access points and switches connected up to the primary router, no redundancy, no loops, strictly hierarchical. Only servers desktops and printer under our control are connected to this, hence this is considered a trusted network.  For an outsider to get access to this, they either need to connect in with a cable or hack one of our computer, which mostly run Linux, few Macs, but no Windows. All in all I am using these network sequences, internally,  The outside world only ever see my Danish ip address or my US ip address:

zone net vlan Wifi Description
lan untagged Wi5-ve
us backbone dk backbone
10.10.x.0/24 laptops x using vpn not home
guest 4 FreeWifi isolated and throttled
dk 5 Wi5-da
routed via dk

To make the configuration a little easier, and isolate (operator) errors, the functionality is spread out so that each router serves one network.

  • gateway all outgoing trafic, firewall, masqerading, portforwarding
    • dhcp-server for untagged vlan
  • kontor
  • workshop incoming wireguard server, for traveling laptops, including my datacenter in Denmark remote laptops have
    • wireguard gateway to/from my danish backbone
  • stue
    • dhcp-server for guest network vlan4
  • wgdk all trafic routed via my datacenter in denmark
    • dhcp-server for vlan5

Configure network interfaces, switch and Wifi

Assuming the wndr3800 has a virgin installation of the newest Opewrt 18.06.1 the configuration can begin.  First configure for password-less accesss, as I describe in linux/rsh-som-i-gamle-dage (for english version use translation button in upper left corner)

This creates 5 new command under ~/bin so now we can execute any command on any of the routers or login to them without providing a password.  You could ofcourse configure the routers via the WEB but I do not really have these tendensies.

Lets us have a look at /etc/config/wireless which is identical on all the routers:

  • radio0 is on 2.4GHz  with 3 Wifi access points
    • Wi2-us – zone: lan
    • Wi2-dk – zone: dk
    • FreeWifi – zone: guest
  • radio1 is 5 GHz with 2 Wifi access points
    • Wi5-us – zone: lan
    • Wi5-dk – zone: dk

FreeWifi uses no encryption and has no password, but its speed is throttled, more about this in a future blogpost

The 4 other WiFi access-points use WPA2-PSK encryption and use 802.11r handover to the other routers which is setup in the same way, with the same mobility_domain associated with each network, you should probably use a different password and mobility domain for your network

This should be enough to enable roaming between your routers just disable the firewall on the secondary routers that do not connect to wan, and stick to a single zone lan and you should e ready to go.

I a future blogpost I will describe:

  • how to throttle the FreeWiFi network
  • how to route a full network via my Danish datacenter
  • and finally a script to handle all this

Stay tuned

Print Friendly, PDF & Email
This entry was posted in internet, Linux. Bookmark the permalink.