I initially wanted them on the same bridge to keep a simple setup, as you noted. With my pre-mesh setup using only 1 node, I noticed that if 2 guest clients are connected, one on 2.4GHz and one on 5GHz, with both wlans assigned to the same bridge, any attempt at isolating the clients from each other did not work. AP Isolation, Net Isolation, IPTABLES rules to block the bridge from itself, or to block interfaces within the bridge from each other, none of those worked.
Are you aware if the WAN is disabled a lot of functionally changes. One or the other, Net Isolation or AP Isolation no longer works for one. There is a single iptables rule that fixes this behaviour. Search for it in the forum. I think @egc has it in his sig.
Quote:
My thinking here is to reserve that ethernet port on each node to behave like a Guest network, where if the need arises I can plug in a device to it (Printer, TV, etc.) and have it isolated from my trusted network. Ideally it would be nice to just add it to the same VLAN I am already using for the guest wlans, but due to the isolation issues I am having I decided to keep it separate.
Your printer or any connected non-managed-switch device should not be able to detect a tagged trunk port. It HAS to be untagged with the proper PVID for the vlan in order for the device to connect to the correct subnet. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
I spent the last week testing out a barebones setup on a newer build, 60269, with the aim of better understanding 802.11s mesh and at what point VLANs might be appropriate, but I kept running into an issue.
If we look again at my previous setup as an example:
Quote:
Code:
Node 1 (gateway)
bridge name bridge id STP enabled interfaces
br0 8000.80691a1ded9d no eth2
eth3
wlan0
wlan1
wlan2
br1 8000.80691a1ded9d no wlan0.10
wlan1.1
br2 8000.80691a1ded9d no wlan0.20
wlan2.1
br3 8000.80691a1ded9d no eth1
wlan0.30
Node 2
bridge name bridge id STP enabled interfaces
br0 8000.80691a228e1a no eth0
eth2
eth3
wlan0
wlan1
wlan2
br1 8000.80691a228e1a no wlan0.10
wlan1.1
br2 8000.80691a228e1a no wlan0.20
wlan2.1
br3 8000.80691a228e1a no eth1
wlan0.30
br1 is a Guest VAP, with all DHCP being done on Node 1. When I run this br1 without VLAN tagging, a client can connect to Node 1 just fine. When I force a client to connect to Node 2, it is unable to get an IP Address.
When I run br1 with VLAN tags (wlan0.10), clients can connect normally to Node 2.
The only information I have seen on setting up VAPs was for WDS, so that wasn't as helpful in this case for 802.11s.
I am guessing that any wlan or eth interface either natively or manually assigned to br0 works out of the box with this mesh setup. Even if we create new bridge interfaces named the same on both nodes, i.e. br1, the nodes treat them as separate and distinct entities and doesn't assume they are somehow linked, which explains why a client connecting to br1 on Node 2 (with DHCP off) can't get an IP Address.
Am I correct in the understanding that for an 802.11s mesh setup for VAP (or any additional interface NOT on br0) would require the use of VLANs in order to function correctly? Or is there something I am missing?
First of all, and you didn't specify whether this has been done or not, but you must specify each vlan for the 802.11s interface. The tags must be present and the bridge assigned to it in order to get an IP address assigned from the correct subnet. You only need to tag the 802.11s interface, multiple times for multiple vlans. A screenshot of your Networking tab would be most helpful here.
VLANs are not required. You can always unbridge the interfaces but this would lead to a completely different and slightly more complicated configuration.
Also, since you have upgraded, your interface names would have changed from ethN to lanN. Did you make those changes on each node in the Networking tab? _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
alright, got a 2 node Mesh working. Between two MX4300's I had to use wlan2 as the back-haul. would not work on wlan0.
Setup is like:
ATT Fiber router --> hardwired to a mx4300 w/dd-wrt main router <-- another mx4300 w/dd-wrt in the garage.
main and garage router are meshed via wlan2 and both expose APs for my family to use over wlan0 and wlan1. With an additional VAP on wlan1.1 (for some old wifi printer we have that I don't want to figure how to reconfigure)
MAIN and GARAGE routers have WAN Connection disabled. DHCP disabled.
Ok, so I've re-done my setup as a more straightforward example to make it easier to analyze and troubleshoot.
I've followed the guides in this post to setup the 802.11s Mesh and a guest VLAN.
One issue remains: With 2.4GHz and 5GHz radios in the same Guest bridge (br1), two clients who connect to br1 on Node 2 but on different radios can ping each other. It was mentioned egc had posted an iptables rule to try, but I was not able to find it.
Routers: Two MX4300s
Build: 60269
wlan0: 5GHz Mesh Backhaul
wlan1: 2.4GHz Primary network
wlan1.1: 2.4GHz VAP for Guest Network (VLAN tag 10)
wlan2: 5GHz Primary Network
wlan2.1: 5GHz VAP for Guest Network (VLAN tag 10)
Node 1 is the gateway and handles DHCP and Firewall, Node 2 WAN is disabled.
AP Isolation is enabled for the VAPs. Net Isolation is disabled, since I want to be able to connect to/administer devices on the Guest network.
I have attached screenshots of the Networking page for both nodes.
Code:
IPTABLES
## isolate Guest bridges from the router itself (prevents WebIF/GUI access)
## Port 53 DNS, Port 67 DHCP should be allowed.
iptables -I INPUT -i br1 -m state --state NEW -j REJECT
iptables -I INPUT -i br+ -p udp -m multiport --dports 53,67 -j ACCEPT
iptables -I INPUT -i br+ -p tcp -m multiport --dports 53,67 -j ACCEPT
# Prevent wlan interfaces within same Guest bridge from talking to each other
# i.e. 2.4GHz client able to ping 5GHz client
# Since AP Isolation only restricts within same radio, not across radios.
ebtables -I FORWARD --logical-in br1 --logical-out br1 -j DROP
# block connections from Guest br1 to Main br0
# connection from br0 to br1 possible
# Rejects NEW traffic, but allows ESTABLISHED,RELATED traffic through
iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j REJECT
## Alter TTL of network discovery traffic to allow it to cross subnets
## This will allow chromecast, etc. traffic from main network to guest network
iptables -A PREROUTING -t mangle -p udp --dport 1900 -j TTL --ttl-inc 1
## Enable Guest wlan interfaces to send mDNS traffic to main network (udp 5353)
iptables -I INPUT -i br1 -p udp --dport 5353 -j ACCEPT
## Enable main network to accept incoming Plex traffic from Hisense Smart TV
## Using MAC Address, since IP Address could change under current setup
iptables -I FORWARD -m mac --mac-source BC:5C:[redacted] -p tcp --dport 32400 -j ACCEPT
iptables -I FORWARD -m mac --mac-source BC:5C:[redacted] -p tcp --dport 32469 -j ACCEPT
iptables -I FORWARD -m mac --mac-source BC:5C:[redacted] -p udp --dport 32410 -j ACCEPT
iptables -I FORWARD -m mac --mac-source BC:5C:[redacted] -p udp --dport 32412 -j ACCEPT
iptables -I FORWARD -m mac --mac-source BC:5C:[redacted] -p udp --dport 32413 -j ACCEPT
iptables -I FORWARD -m mac --mac-source BC:5C:[redacted] -p udp --dport 32414 -j ACCEPT
I have tested all combinations of 2 guest clients on Node 1, Node 2, 2.4GHz and 5GHz, and the only one that fails the test is both clients on Node 2 but different radios.
The ebtables rule listed above does solve the same issue for Node 1. (Unlike iptables, I found that I had to either reboot the router or disconnect/reconnect the client in order for it to take effect, which is why I thought it didn't work previously.)
I have tried disabling "Shortcut Forwarding Engine" on both nodes, in case some firewall was being skipped, but that didn't help.
I did notice that in your setup lexridge, you only have 1 radio per VLAN, which may explain why this issue didn't come up for you.
Any input on a possible solution for me would be greatly appreciated. If nothing else, I can revert back to my previous setup of having each radio on a separate VLAN, instead of trying to combine them.
Well, you are right. I am using two different routers, one for 5ghz and another for 2.4ghz so the bridging is different as are the vlans...slightly...with one exception. My garage MX4300 is using both. I have not tried pinging from a guest connected to 2.4 to a guest connected to 5ghz and I do not have the @egc rule in place, and I am also having trouble finding it in the forum, but I will soon. It does exist I assure you.
Never gave much thought about Guests being able to ping each other, but it does seem to offer some entertainment maybe in some sense. I would estimate 99.98% of my guests don't even know what a ping is and I don't get much company until the pool is opened in summer.
This is my garage mx4300 Networking tab. Media is treated as trusted. IoT and Guest are not. I will follow up whenever I find that darned illusive iptables rule.
Edit: Are your iptables rules on both routers or only the Gateway? They should only be needed on the main gateway when using vlans.
Edit: These screen shots are obviously NOT PART OF MY MESH, just an example.
Selection_026.png
Description:
Filesize:
21.33 KB
Viewed:
5514 Time(s)
Selection_025.png
Description:
Filesize:
65.84 KB
Viewed:
5514 Time(s)
_________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Never gave much thought about Guests being able to ping each other, but it does seem to offer some entertainment maybe in some sense. Wink I would estimate 99.98% of my guests don't even know what a ping is and I don't get much company until the pool is opened in summer.
These wouldn't be guests per se, but other untrusted/IoT devices I have decided to lump into my Guest network that I don't want poking around looking for vulnerabilities. I don't have a use case at the moment for requiring a separate IoT VAP with different rules.
Quote:
Edit: Are your iptables rules on both routers or only the Gateway? They should only be needed on the main gateway when using vlans.
Just on the gateway.
As an update, I've gone back to my previous setup of having the 2.4GHz/5GHz guest radios on separate bridges and the isolation seems to be working fine now, even without ebtables rules. I will go back later and re-test just to confirm, but it's a relief I can now proceed with configuring other features.
Quote:
Your printer or any connected non-managed-switch device should not be able to detect a tagged trunk port. It HAS to be untagged with the proper PVID for the vlan in order for the device to connect to the correct subnet.
In the same way a wireless client can connect to a guest VAP, obtain an IP address and access the internet, I have mirrored that setup for LAN Port 3 as its own VLAN and subnet with the same firewall rules as Guest. I can plug a laptop into Port 3 on either Node 1 or 2, obtain an IP on that subnet and access the internet. My intention was never to have the connected device be VLAN aware. Perhaps it's not the correct way of doing it, but it seems to work for me. I doubt I'll ever use this port, but it's nice to have it ready in case I ever need to plug in an untrusted device.
Cool, glad you got it worked out! Looks good to me with one exception. If these screen shots are from the main gateway, then you're all good. If they are from either node2 or node3, then you need to remove the IP addresses from the bridges as they are not necessary and can cause leaks between bridges. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Joined: 07 Jan 2011 Posts: 18 Location: San Jose, CA
Posted: Mon Jul 21, 2025 18:12 Post subject: Re: re: Ethernet Backhaul and 802.11s as AP
lexridge wrote:
Since you already have the cables ran, I would definitely hook them up to each node. Let's see what happens!! I don't know what will happen, but would sure be great to find out. If nothing else, it will still give you access to the router if the mesh goes offline and super handy when configuring it to begin with.
You didn't mention if you would be using vlans. It may be easier to route or bridge all the wireless traffic to a vlan that is only available on wired connection. This kind of setup is all new to me too, so you should create a new thread on it as you proceed.
While 802.11s has been including in DD-WRT since what, 2018? It has never really been used except for a handful of folks and no howto was ever written for it. Well, until recently anyway. It was largely the OpenWRT (using mx4300s) folks coming over that really wanted it working and that stuck my interest to attempt to set it up myself (since I bought 4 of these things). So not much is written on this forum about it until recently. So we are all kinda learning as we go. The more people who use 802.11s in different ways is very useful and valuable to the dd-wrt community as a whole. Please keep us informed of your progress.
@lexridge, this goes back to Dec. I finally got around to trying a mesh setup based on the MX4200s. I've attached a simple layout of my test setup. I was able to setup a 2 meshpoint environment by following your instructions. Mostly everything seenms to work - with one issue. I am able to ping all the devices on the network except for PC1 (attached by ethernet to the Primary mp). From PC1 I can ping all devices. But from PC2 or a wireless client (iPad or laptop) I can ping everything except PC1. I discovered this before adding some of the advanced settings, but same results after adding those changes.
Do I need to make some additional routing changes to get this basic configuration to work? I would have thought this would have been an "out of the box" config. Also, you will recall my goal was to setup with ethernet / wired backhaul. Connecting ethernet between the two mp's didn't seem to make any difference to my tests. In fact, it seemed to slow down my internet performance as measured from PC2.
Using a wired backhaul has been proven to not work. The mesh seems to be completely self-contained.
Re: PC1 being able to ping everything but PC2 and wireless devices not being able to ping PC1, are you sure PC1 is not blocking ping requests (ICMP)? _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Joined: 07 Jan 2011 Posts: 18 Location: San Jose, CA
Posted: Wed Jul 23, 2025 18:15 Post subject:
lexridge wrote:
Using a wired backhaul has been proven to not work. The mesh seems to be completely self-contained.
Thanks, can you point me to more information on this? I thought 802.11s didn't preclude wired backhaul? Is this a dd-wrt implementation issue?
lexridge wrote:
Re: PC1 being able to ping everything but PC2 and wireless devices not being able to ping PC1, are you sure PC1 is not blocking ping requests (ICMP)?
Ah, rookie oversight! Issue resolved. My PCs are setup up with private network sharing profiles, but of course that defaults back to public with a new subnet. Thanks!
Thanks, can you point me to more information on this? I thought 802.11s didn't preclude wired backhaul? Is this a dd-wrt implementation issue?
I cannot. It was in this forum however and not so long ago. Maybe a month or two.
I don't remember if it's in the 802.11s spec or not as it's been a long time since I last read it. DD-WRT may allow it, but it may take some really fancy routing to make it work. The fact that the mesh works fine no matter the IP address of the router (it can be on a completely different subnet and mesh still works on the proper subnet) may provide some clues. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
Joined: 07 Jan 2011 Posts: 18 Location: San Jose, CA
Posted: Thu Jul 24, 2025 18:14 Post subject:
lexridge wrote:
rknox wrote:
Thanks, can you point me to more information on this? I thought 802.11s didn't preclude wired backhaul? Is this a dd-wrt implementation issue?
I cannot. It was in this forum however and not so long ago. Maybe a month or two.
I don't remember if it's in the 802.11s spec or not as it's been a long time since I last read it. DD-WRT may allow it, but it may take some really fancy routing to make it work. The fact that the mesh works fine no matter the IP address of the router (it can be on a completely different subnet and mesh still works on the proper subnet) may provide some clues.
But I am not seeing any real explanation except that 802.11s is self-contained. Wider search suggests that implementations with 802.11s and wired backhaul can / do exist. And don't proprietary (stock firmware) mesh routers have this feature? Guess I should fire up my remaining stock mx4200 to see.
I don't have the setup to test it and I'm waist deep in other projects atm. If you can test and find a configuration that works, that would be great! Please post about it with details once you figure it out. _________________ - Linksys EA8500: I-Gateway, WAP/VAP 5ghz only. Features: VLANs, Samba, WG, Entware - r60xxx
- Linksys EA8500: 802.11s Secondary w/VLAN Trunk over 5ghz - r60xxx
- Linksys MX4300: 802.11s Primary w/VLAN Trunk over 5ghz. 2.4ghz WAP/VAP only - r60xxx
- Linksys MX4300: (WAP/VAP (7)) Multiple VLANs over single trunk port. Entware/Samba r60xxx
- Linksys MR7350: WDS Station for extended Ethernet r60xxx
- Linksys MR7500, MX8500: None in production. Just testing. r60xxx
- OSes: Fedora 40, 10 RPis (2,3,4,5), 23 ESP8266s: Straight from Amiga to Linux in '95, never having owned a Windows PC.
- Forum member #248
I would estimate 99.98% of my guests don't even know what a ping is and I don't get much company until the pool is opened in summer.
