Advice needed - OPNsense + Dumb APs

talowicz · January 31, 2025, 04:22:06 AM

Hello.

I am looking to add a few WAPs to my LANs but dont know how to go about doing it. Ideally I would like the APs to be 'dumb' and be able to flash OpenWRT onto them. I then do not know how I would go about managing them. Would this be done over the network or would there be an physical interface I can plug into to configure. The latter would be ideal.
Basic network topology of my subnets, interfaces and where I want an AP deployed

eth0 - WAN <-- DHCP from ISP
eth1 - LAN1 <-- 192.168.10.1/24 + AP ACCESSIBLE
eth2 - LAN2 <-- 192.168.20.1/24 + AP ACCESCIBLE
eth3 - MGMT <-- 192.168.99.1/24

Firewall ip is 192.168.99.1

Can anybody point me in the right directions as to how one can setup a dumb ap with opnsense.

Thanks in advance!

passeri · January 31, 2025, 04:43:05 AM

Are these bridged APs or routed? If the former then access them from your MGMT LAN by their IP address, otherwise via WiFi in their networks to have no open upstream port. Whether you can plug in to the APs physically depends on what they are.

Mo'Kai · January 31, 2025, 08:01:12 AM

Hi,
I have the same network topology. You can access the dumb AP's as you wish over opnsense network ( LAN/WiFi), provided you do a correct configuration of openwrt dumb AP's.

dseven · January 31, 2025, 10:44:49 AM

Your questions are really mostly about how OpenWRT works, so you might be better off asking the OpenWRT community how to set up and manage your APs. If the APs are truly "dumb", OPNsense wouldn't even know that they are there.

Most (though not all) APs have only one ethernet port, so physically separating management from user traffic might not be feasible. A more modern approach would be to use VLANs for your LAN1, LAN2 and management. You'd (probably) need a managed ethernet switch to do that. You probably could then create management interfaces (on the relevant VLAN) on your OpenWRT APs.

Seimus · January 31, 2025, 12:26:27 PM

With OpenWRT its simple,

You can allocate ports and VLANs to SSIDs as you wish.

You can create for example management IP on OpenWRT with specific VLAN if you desire on a specific port or bridge and connect it to a management VLAN/Network on OPNsense, or without VLAN. This way you can manage your Dumb AP effortlessly.

Than you can specify the same for SSIDs, attach them to a specific interface or a bridge and TAG it with a VLAN if you desire. If you want only a Dumb AP, do not assign on OpenWRT IPs(let them unmanaged) for the interfaces that attach to SSIDs, this way the GW will be OPNsense and OpenWRT with SSIDs will forward frames to OPNsense as the GW per SSID.

Devices > Interfaces > SSIDs

Regards,
S.

hharry · January 31, 2025, 02:09:49 PM

IMO, your better off with a WAP management solution, i use Ubiquiti U6+ WAP's ( which is based from OPENWRT ), plus use on-premises self hosted UniFi to manage the WAP's, i have the WAP's configured in bridged mode, and are fed via 1000BaseT PoE, quite simple to setup...and performance is great. And yes i use opnsense as internet g/w and F/W.

Ubiquiti WAP's, can user either L2 or L3 adoption to self hosted UniFi....

https://help.ui.com/hc/en-us/articles/204909754-Remote-Adoption-Layer-3

so if your self hosted UniFi is connected to a different L2 segment to that of the WAP's, you just need to enable L3 adoption as in above article etc.

self hosted UniFi gives you great insight to WiFi WAP and supplicant performance, and makes configuring the WAP's a breeze, and makes WAP firmware updates as simple as a single click of a button etc...save you a ton of time....

Advice needed - OPNsense + Dumb APs

talowicz

January 31, 2025, 04:22:06 AM

passeri

January 31, 2025, 04:43:05 AM #1

Mo'Kai

January 31, 2025, 08:01:12 AM #2

dseven

January 31, 2025, 10:44:49 AM #3

Seimus

January 31, 2025, 12:26:27 PM #4

hharry

January 31, 2025, 02:09:49 PM #5 Last Edit: January 31, 2025, 02:35:53 PM by hharry