Goals 🎯

I have a Xiaomi Redmi AX6000 router, which is the main AP of my home. it has ~18 IoT devices, ~12 mobiles & desktops connected to it. I want to setup two SSIDs that has two subnets & gateways.

Solutions 🛠️

  • Approach 0: Could setup two SSIDs(AP, AP-EX) on same radio, like the guest setup, all the traffic will go through same interface.

  • Approach 1: Could add a DHCP option to DHCP server and the devices connect to it will have it’s own gateway, the drawback is I need to manually add the devices to the list(maybe tag). It’s time consuming and also not efficient.

  • Aproach 2: Use macvlan to setup two interfaces, get two IPs from upstream DHCP server, specify the APs egress to different interface.

Let’s do it! 🚀

Prerequisites on OpenWrt 21.0

# need macvlan kernel module
root@xiaomi_redmi-ax6000:~# modprobe macvlan
root@xiaomi_redmi-ax6000:~# modinfo macvlan
module:         /lib/modules/5.4.284/macvlan.ko
alias:          rtnl-link-macvlan
license:        GPL
depends:
intree:         Y
name:           macvlan
vermagic:       5.4.284 SMP mod_unload aarch64

Add device and also interface

# /etc/config/network

# ⚠️It's a macvlan device called macvlan0
config device
        option name 'macvlan0'
        option type 'macvlan'
        option ifname 'eth1'
        option mode 'bridge'
        option macaddr '24:cf:24:1a:d6:a1'

# ⚠️ add a macvwan interface and IP is static
config interface macvwan
        option device 'macvlan0'
        option proto 'static'
        option ipaddr '10.0.10.41'
        option netmask '255.255.255.0'
        option gateway '10.0.10.50'
        list dns '10.0.10.50'
        option metric '20'

# ⚠️ add new subnet, 192.168.10.0/24
config interface tunnel
        option proto 'static'
        option ipaddr '192.168.10.1'
        option netmask '255.255.255.0'

DHCP for IF tunnel

Add a DHCP server for interface tunnel.

# /etc/config/dhcp
config dhcp tunnel
        option interface tunnel
        option start 10
        option limit 150
        option leasetime 30d
        list dhcp_option '6,10.0.10.50'

Add a new SSID

Most of the filogic 820/830 SoCs support VAPs(multiple Virtual Access Points).

VAPs allow a single physical access point to host multiple virtual networks, each with its own SSID and security settings. This is crucial for segmenting networks, such as separating guest traffic from internal network traffic.

root@xiaomi_redmi-ax6000:~# iwinfo | grep VAPs
          Supports VAPs: yes  PHY name: apcli0
          Supports VAPs: yes  PHY name: apclix0
          Supports VAPs: yes  PHY name: ra0
          Supports VAPs: yes  PHY name: rax0
          Supports VAPs: yes  PHY name: rax1

# /etc/config/wireless
config wifi-iface 'default_MT7986_1_2_tunnel'
        option device 'MT7986_1_2'
        option network 'tunnel'
        option mode 'ap'
        option ssid 'AP-EX'
        option key 'passw0rd'
        option encryption 'psk2+ccmp'
        option ieee80211k '0'

Routing table & rules

Let’s create a routing table tunnel(my table id is 100). The tables don’t have an order, you could put your luck number to it.

# Add the routing table number if it doesn't exist
grep -q "tunnel" /etc/iproute2/rt_tables || echo "100     tunnel" >> /etc/iproute2/rt_tables

root@xiaomi_redmi-ax6000:~# cat /etc/iproute2/rt_tables | grep tunnel
100     tunnel

We want all traffic from 192.168.10.0/24 to go through macvlan0. we need to specify the route table and rules for it.

# default route, all the traffic will go to macvlan0
ip route add default via 10.0.10.50 dev macvlan0 table tunnel

# RFC 1918
ip route add throw 10.0.0.0/8 table tunnel
ip route add throw 100.64.0.0/10 table tunnel
ip route add throw 172.16.0.0/12 table tunnel
ip route add throw 192.168.0.0/16 table tunnel

We have the routing table now, let’s add rule for it.

# all the traffic from 192.168.10.0/24 will check tunnel table
ip rule add from 192.168.10.0/24 lookup tunnel

Firewall

The last thing is firewall.

# /etc/config/firewall
config zone
        option name             tunnel
        list   network          tunnel
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             tunnel
        list   network          macvwan
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

# let it pass if a packet from tunnel wants to go to the macvwan zone
config forwarding
        option src              tunnel
        option dest             macvwan

# let it pass if a packet from tunnel wants to go to the wan zone
config forwarding
        option src              tunnel
        option dest             wan

Notes ☕

  • IP rule & route will take care of the route. The rules have priorities, the routes do not have.