Extending a wireless network with OpenWRT.

16 June 2020

One of my earliest covid-19 lockdown projects was doing a little work on my home wireless network.  I have a fairly nice wireless access point upstairs running OpenWRT, sitting behind the piece-of-shit DSL modem-slash-wireless access point our ISP makes us use.  All of our devices connect to that AP instead of the DSL modem.  Let's call it Upstairs.  However, the dodginess of the construction of our house being what it is (please don't ask), wireless coverage from upstairs isn't the greatest downstairs.  The fix for this, conveniently, is to set up another wireless access point downstairs and connect the two in such a way that wireless devices downstairs connect to the second access point (let's call this one Downstairs), which then transparently relays the users' traffic to the Upstairs AP, and then to the public Net (or one of the machines also hanging out on Upstairs).  This was a remarkably easy thing to do but it did take a little background research, which was daunting in and of itself so my goal here is to lay out a nitty-gritty, "Here's how you do this thing" process so you can do it yourself.  Also, in today's political climate, this process has the potential for filling in some essential gaps in emergencies.

First, some basic assumptions that you have to make for this to work: Your wireless access points have to be dual-band - they must be capable of supporting both 2.4GHz and 5GHz networking simultaneously.  This means that they have two independent radios on board.  If they don't this won't work.  Seriously, don't try to get clever with this.  Any hackery you try to pull is going to be brittle, and you'll be inflecting upon yourself to kinetic pattern baldness needlessly.  Second, it is entirely possible to extend one SSID using this technique but you don't have to.  We have three related wireless networks here: Upstairs-2.4GHz, Upstairs-5GHz, and Downstairs-5GHz but you can do it differently if you want.  Third, unless you're already using OpenWRT for your wireless network, this probably won't work.

This is an advanced project so you might not want to tackle this on your own if you haven't been tinkering with OpenWRT for a while; this includes being comfortable with SSHing into your access point and installing software (including the web control panel).  I won't walk you through the installation process because OpenWRT already has good documentation for this.  Follow it first to bootstrap your second access point-slash-wireless network extender before you start this tutorial.  I'll also walk you through some of the gotchas I ran into to make life easier for everyone else.  We're going to assume that you're using OpenWRT's default private network layout already but if you aren't adjust the instructions as required.  You do not have to be running the same version of OpenWRT on your access points.  I'm running v18.06.2 on Upstairs and v19.07.2 on Downstairs.

When I built this out at home I purchased a duplicate of the access point I already have.  You probably don't have to do this, but I did just to be sure I knew the make and model was solid.

For the record (and the sake of my external memory) here are the instructions I used when I originally figured this out.

To start you'll have to make a minor modification to the Upstairs access point.  SSH in (with something like ssh root@ and edit the /etc/config/wireless file with whatever text editor you have insrtalled (I use /bin/vi, which is part of the busybox install that OpenWRT is built on top of but use whatever works for you).  Find the configuration stanza for one of the wireless networks on your Upstairs access point (I picked Upstairs-2.4GHz) and add the line option wds '1' to the very end of its configuration stanza.  It should look like this:

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option macaddr '00:20:91:01:01:01'
        option disassoc_low_ack '0'
        option encryption 'psk-mixed'
        option key 'LoveSexSecretGod'
        option ssid 'Upstairs-2.4GHz'
        option wds '1'

Then reboot your Upstairs access point for the change to take effect (this is mandatory).  What this does is configure that radio for Wireless Distribution System mode, which basically tells the radio "transparently bridge traffic from other wireless access points on this wireless network in addition to handling client traffic."  You won't find this setting in the web control panel before or after you set it, which is why you have to SSH in.  This is the only major change to Upstairs that you need to make.

If you want to make sure it worked you can SSH back into Upstairs and run the ifconfig command to list all of the network interfaces running on that device.  One of the interfaces (probably the final one displayed) will be a new interface called <something>.sta<some number here> if it worked:

wlan1.sta12 Link encap:Ethernet  HWaddr 00:20:91:01:01:01  
          inet6 addr: fe80::c056:27ff:fe71:3578/64 Scope:Link
          RX packets:2765152 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5341973 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:510233305 (486.5 MiB)  TX bytes:7265942846 (6.7 GiB)

When you set up your second access point (Downstairs) you'll want to do it over a hardline, which is to say that you'll want to use a USB Ethernet adapter plugged straight into your second access point if your laptop doesn't have an Ethernet jack (if it does, just use that).  I use this one from my field kit, but use whatever works for you.  Most access points default to giving their clients addresses in the range; when OpenWRT boots up it defaults to the range so you'll want to unplug your hardline, wait a minute or so for your workstation to give up its DHCP lease, and then plug it back in so you get a new address on the network.  Otherwise you'll be trying to figure out how to get into your "new" access point and wondering if you bricked it.

Now SSH into your new Downstairs access point as the root user over the hardline (ssh root@ and edit the /etc/config/dhcp file.  What you want to do here is add the line option ignore '1' to stanza for the 'lan' configuration, like this:

config dhcp 'lan'
    option interface 'lan'
    option dhcpv6 'server'
    option ra 'server'
    option ignore '1'
    option ra_management '1'

What that option does is tell the DHCP server to not do anything with the client wireless network.  There is already one available on Upstairs and you don't need another one.

Digression: OpenWRT calls 'lan' the part that clients on the access point are using.  It calls 'wan' the part of the access point that's upstream, say, the part you've plugged into a DSL modem.

Now you need to edit the /etc/config/network file on Downstairs to give the 'lan' interface (the one that all of your wireless devices will hang out on) a static address.  By convention I gave the one on Upstairs the address, so I kept with the pattern and gave the one on Downstairs the address  We're also going to turn on the 'bridge' option so that Downstairs knows that it's going to relay traffic to and from Upstairs over wifi.  To make life easier in the long run we're also going to hardwire the default gateway and default DNS (which also speeds things up a bit).  The 'lan' configuration block should look a lot like this:

config interface 'lan'
    option type 'bridge'
    option ifname 'eth0.1'
    option proto 'static'
    option ipaddr ''
    option netmask ''
    option ip6assign '60'
    option gateway ''
    list dns ''

At this point, I strongly recommend that you go back to your Upstairs access point, log into the web control panel, and flag that IP address as static so that the DHCP server won't try to reassign it and screw everything up.  Go to "Network -> DHCP and DNS", scroll all the way to the bottom of the page to where it says "Static Leases", type the name of your new Downstairs access point into the box in the Hostname column, and then go to the IPv4-Address dropdown and pick the IP address you hardwired into Downstairs (  Click the "Save & Apply" button.

While we're logged into Upstairs, take note of the wireless settings that the radio you want Downstairs to talk to have.  In the Luci web control panel, that's "Network -> Wireless".  On my access point I'm using radio0 and it's configured for 802.11nac, channel 36 (5.180GHz).  Use the web control panel on Downstairs ("Network -> Wireless, radio0 -> Edit") to set its radio0 to the same settings.  If it's not enabled, click the "Enable" button.  This minimizes the amount of reconfiguration you have to do on all of your wifi gadgets.  While you're in that wireless network panel, scroll down to the "Interface Configuration" part.  Set the Mode drop-down to "Access Point", set the ESSID to the downstairs network name (Downstairs-5GHz), and set the Network drop-down to LAN.  Click on the Wireless Security tab, and set your encryption to the strongest your wifi gadgets will support (for me, it's WPA2-PSK Mixed Mode), Cipher to "auto", and set a wireless password (to make life easier for yourself, set it to the same password that Upstairs uses (just know that you're trading off security for convenience here)).  Click the checkbox for "Enable key reinstallation (KRACK) countermeasures)"; if you're on Downstairs and you have problems with high-traffic stuff like installing patches or gaming you'll probably have to to un-check this option.  Click the "Save" button.

If you're feeling saucy and want to do this on Downstairs manually here's what the radio0 and default_radio0 config stanzas in /etc/config/wireless should look like:

config wifi-device 'radio0'
    option type 'mac80211'
    option channel '36'
    option hwmode '11a'
    option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
    option htmode 'VHT80'
    option country 'US'
    option disabled '0'

config wifi-iface 'default_radio0'
    option device 'radio0'
    option network 'lan'
    option mode 'ap'
    option macaddr '00:20:91:02:02:02'
    option wpa_disable_eapol_key_retries '1'
    option key 'LoveSexSecretGod'
    option ssid 'Downstairs-5GHz'
    option encryption 'psk-mixed'
    option disabled '0'

That's your downstream - the part your wifi devices interact with. 

Go back to your Upstairs access point.  Remember the radio you reconfigured by adding that line for WDS earlier?  The one I gave you an example config block for after the cut named Upstairs-2.4GHz?  You're going to want to write down the wireless settings for that because you need to copy them for the Downstairs AP.  On my setup, it's radio1, Mode N, Channel 11 (2.462 GHz), SSID Upstairs-2.4GHz.

You need to configure your upstream with those settings - the part of your new Downstairs access point that talks to your existing Upstairs AP and pushes traffic back and forth.  I highly recommend that you do this from the Luci web control panel to make life easier on yourself.  On Downstairs, go to "Network -> Wireless" and pick the radio that you haven't configured yet (probably radio1).  Hit the "Edit" button.  Make sure the wireless network is enabled; if it's not hit the "Enable" button.  Set a Mode, a Channel, and a Width (this needs to match the settings you wrote down from Upstairs).  In the "Interface Configuration" part down below, set Mode to "Client WDS", ESSID to the Upstairs ESSID (Upstairs-2.4GHz), and Network to 'lan'.  On the wireless security tab make the Encryption, Cipher, and Key fields match the ones on Upstairs.  Hit the "Save" button.

Again, if you're feeling saucy you can edit the /etc/config/wireless file on Downstairs and edit the configs for radio1 so that they look something like this:

config wifi-device 'radio1'
    option type 'mac80211'
    option channel '11'
    option hwmode '11g'
    option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
    option htmode 'HT20'
    option disabled '0'
    option country 'US'

config wifi-iface 'default_radio1'
    option device 'radio1'
    option network 'lan'
    option mode 'sta'
    option wds '1'
    option ssid 'Upstairs-2.4GHz'
    option encryption 'psk-mixed'
    option key 'LoveSexSecretGod'
    option macaddr '00:20:91:03:03:03'

Again, note the option mode 'sta' and option wds '1' lines, which tell that wireless radio to consider itself a client and not an access point, and to run in Wireless Distribution System mode to bridge traffic.

Assuming that you're still logged into the Downstairs AP's web control panel, there are a couple of tweaks that you have to make.  In "Network -> DHCP and DNS", put the IP address of Upstairs into the box by DNS forwardings.  This tells Downstairs to always make DNS requests of Upstairs and not try to run a competing service (which never goes well due to DHCP).  Then go to "Network -> Interfaces -> LAN: Edit" and make sure that it's set to "Static address", that its IPv4 address is the one you hardwired (, and that "Bring up on boot" is checked.  Ensure the IP address of Upstairs ( is in the "IPv4 gateway field" (you hardwired it earlier), and copy that address into one of the "Use custom DNS servers" fields.  Click the "Save" button.

Now for the moment of truth: On the Downstairs AP, go to "System -> Reboot" in the web control panel (or if you're SSH'd in, type reboot) and disconnect your hardline from the new AP.  You'll have to wait a bit for it to come up, probably less than a minute.  If you look at your system's wireless settings (which can usually be found in the toolbar) you should see your original wireless networks running on Upstairs, and you should also see your new Downstairs-5GHz network.  Click on that one and enter the password for it when prompted.  If you check, your computer should be attached to that new network, and you should be able to noodle around on the Net as usual.  If you want to make any modifications at this time, like if you want to set up traffic shaping, this is the time to do it.  Then power your new Downstairs AP down, physically move it to where you want to improve coverage, and plug the power back in.  When you fire it up, you should not only see your existing wireless networks (Upstairs-2.4GHz and Upstairs-5GHz) but a new one called Downstairs-5GHz.  Connect to it and supply the wireless password you've been using, and then punch around on the Net a little bit to make sure you can hit your favorite sites.  If you can, that should be it so congratulations!  You did the thing.