Hi all. I've been banging my head on a problem for a few hours. Either I've forgotten how to set up OpenWRT, or there's some subtlety that I'm missing.
I have an old WRT54G running OpenWRT 10.03.1. I'd like to repurpose it to extend a network to a building which is several hundred feet from my house. In prepartion, I'm trying to configure the 54G to act as a client of my main in-house WIFI network.
Some details:
Home WIFI network is running from an R7800. 192.168.21.0/24.
Proposed new subnet 192.168.23.0/24
I've got the 54G set up in client mode, and it connects to my main network just fine.
I associated the WIFI link with network zone "wan", and left the LAN ports on network zone "lan".
I turned off masquerading in both directions
I set the firewall rules to "allow" for all traffic in both directions.
The 54G DHCP's 192.168.21.197 as its client address on the WIFI link.
I can ping from 192.168.2.1 to 192.168.21.197.
I can ping from 192.168.23.1 to 192.168.2.1.
I can ping each of the internal interfaces on the 54G from the other.
The thing that I can't seem to get working is forwarding of traffic from the wan to lan or vice versa. I expected that if I set the firewall rules to allow, and associated the interfaces with the network groups, that that would be sufficient, but I suspect I'm missing something.
Don’t spend any time on this device. It is way too old and the openwrt version is so obsolete that nobody is likely going to be able to support you (or even remember the ins and outs and config details of that literally decade old firmware). Not to mention the speed of the WiFi (54 Mbps theoretical, much less than that in reality). And the range from that device isn’t very good.
But something newer (some perfectly good options can be found as cheap as $20 US). You may also want to consider purpose built devices for spanning that gap.
Not sure if you are able but if you are put them in the same zone LAN as zoning means policing and if you trust the other site then you don't need any access rules.
Can you do traceroute from both sides (WRT54G and R7800)?
What is the gateway you are getting from both sides, is that correct?
Adding static routing wouldn't be the case here as they are directly connected networks so the only issue would be access rules.
I think you'd want some sort of CPE device out at the building. Two desktop routers with stock antennas are not going to link very well if at all over several hundred feet.
The remote router should have a static route to the main router's LAN network via the main router. This already exists since the default route to 0.0.0.0 is via the main router. Thus in order to reach a printer or file share inside the main router's network you don't need any special routing configuration. Though you will need to configure the server's IP address explicitly on the remote clients since they won't be probing outside their own network.
In the remote router's firewall the wan and lan should be in the same zone and intra-zone forwarding allowed.
When NAT is not used on the remote router, for connections in either direction the main router needs a static route to the remote network via the remote router's IP on its LAN. A static DHCP reservation should be used to force it to a known IP.
Thanks for the replies. I was trying to keep radio issues separate from the routing issue. I have a high-gain directional antenna which will take care of signal quality over the distance.
And yes, I actually already have CPE at the building. Really all I'm trying to sort out on this thread is how to get the routing working through the box which is acting as a link from the outbuilding to the house.
I haven't tried putting the wan and lan in the same zone. I'll try that next. But I'm puzzled: On my other openwrt boxes, I typically run wan and lan in separate zones. Routing (without NAT) works fine between them. Why is it necessary in this configuration?
Not sure how your previous setup worked but what basically means having a WAN and LAN zone is to create NAT/Access rules which will work but will make your life harder. To bypass such issues you should put both interfaces wlan0 and eth0 in LAN zone so they are both part of the same subnet (again if applicable)
Do you mind sharing a basic diagram of the network including your CPE in it?
Attached is a sketch of this part of my network. The stuff in blue is what I already have, the stuff in pink is what I'm trying to add. I should also point out that for testing, I'm not relying on the longer-distance radio, the 54G is on a desk 10 feet from the R7800. When (if) I get the routing sorted out, I'll move it out to the other building.
I went back over my configs, on both the R7800 and 54G. It seems like what I have should work, but I'm still missing something.
The 54G boots and connects to the R7800 over WIFI. The 54G gets IP address 192.168.21.195.
I'm using a macbook as a client of the 54G. Its WIFI is disabled. It's plugged into a LAN port of that box, and has acquired IP address 192.168.23.182. From the macbook I can ping 192.168.23.1 (the 54G LAN interface). I can ping 192.168.21.195 (the WIFI interface of the 54G). I can ping 192.168.21.1 (the WAN interface of the R7800).
From the other direction, something still isn't right. From the R7800, when I try to ping 192.168.21.195 (the WIFI interface of the 54G) I get nothing. On the 54G, running tcpdump, I can see the incoming ping requests, but there are no replies going out.
On the 54G, I've gone through the firewall configs, and tried setting everyting to "accept". Each of wan and lan zones is set to forward to the other, and there are rules saying IPV4 and IPV6 all protocols ACCEPT. Masquerading is turned off.
I'm sure it's going to turn out that I've done something subtly stupid, but so far I'm not seeing it.
in order for stuff to route to the 192.168.23.0/24 network the r7800 must have a static route saying that the gateway for the .23.0 network is the device .21.x which is your pink device. Have the r7800 give a static lease to the pink device, I'd suggest 192.168.21.2 and then have the 7800 have a static route 192.168.23.0/24 via 192.168.21.2 Dev wlan0 or whatever Dev on the r7800 runs the wlan network.
By default a version 19 OpenWrt will answer pings that arrive on its WAN interface. This is done in part by a firewall rule that overrides the default REJECT input on wan. I don't know if this is true for version 10. There are probably other considerable differences.
So: After another day of horsing around, I've concluded that I've got a wierd hardware problem.
I had shut everything down to go work on something else. I powered the 54G back on, it came up and connected to my internal WIFI, and was happily routing out its LAN side. I figured I must have messed up something while hacking around by hand, and that the configuration I'd set up was good after all. Installed the unit in my outbuilding, and confirmed that it was all working. Came back a couple hours later, and it had stopped routing again. I could ssh to one interface and send traffic out the other, but it wouldn't route through.
Long story shorter: It works for a while after powerup, but after somewhere between 30 minutes and an hour, it starts degrading. Eventually it stops routing altogether. In my most recent experiment, I ssh'ed into it from several windows, and did tcpdump on the wan and lan interfaces. I set something pinging through it. It works perfectly for a while, then I'll start dropping one or two, then 10 or 20 at a time, then all of them. When it starts dropping, I can see the incoming ping requests, but they never go out the other interface.
I suspect temperature; if I simply bounce the power it won't come back, but if I leave it for 30 minutes or so, then power it back up, it works fine. For a while.
It's a pretty wierd problem, but I'm not sure what else to think.
It's time to stop spending time on this one. I've ordered some new (modern) hardware, and will restart this project when it comes in. At least I now know how to configure it
Thanks everyone for your help as I grappled with this thing.
