Accessing the device when using relayd

accelerate · October 7, 2018, 10:42am

Hi everyone,

I followed the guide here: https://openwrt.org/docs/guide-user/network/wifi/relay_configuration?s[]=relayd and so far I am really happy.

There is only one thing that bothers me a little:

With this setup your LEDE device itself may only be accessible from those computers directly connected to the W-LAN AP, not from the ones connected to the LEDE W-LAN client only, when in the 192.168.1.0 subnet.

Is there no way arround it? Why can't I connect to the device when I am directly connected to it via wifi?

Thank you in advance!

vgaetera · October 7, 2018, 10:57am

Reconfigure firewall in accordance with your security policy and routing.
Set up one of those: port opening, zone, zone policy.

eduperez · October 7, 2018, 11:01am

When I had one router configured as a relayd client (now it uses WDS, but the argument is still valid), I configured the LAN section as a pure DHCP client, but reserved the WAN section as as a "management port": it has a static IP address and a DHCP server; this way, I can always plug a computer into that port, and access the device.

accelerate · October 7, 2018, 1:16pm

Thank you for your answers!

@vgaetera
I disabled the firewall, because why would I use it on a simple repeater? I only use the device to relay traffic and don't see the sense in using a firewall in this scenario. Maybe I am overlooking something?

@eduperez
This means I first have to connect a client into that special port to be able to manage the repeater. I don't see really the advantage here, because then I also can plug in a cable or connect from the main router side.

I am not happy with the solutions. There are two different interfaces, the WAN-WLAN interface with connects to the main router and another WLAN interface which gives clients access to the network. The WAN-WLAN interface has a static IP and is reachable from the main router, but not from the clients directly attached to the repeater. I don't understand why?

vgaetera · October 7, 2018, 1:22pm

It should be OK, if you have no need for traffic filtering and configured the routing properly.

accelerate · October 7, 2018, 1:30pm

Would setting up a static route solve my problem?

mbo2o · October 7, 2018, 1:49pm

Don't think so,

Have you tried setting up a second static IP (alias) on the WLAN client on the same subnet as the WLAN and then try accessing the extender on the WLAN IP address

accelerate · October 7, 2018, 1:59pm

I tried that, but doesn't change the fact that WLAN clients can't directly connect to the repeater.

F5BJR · October 17, 2018, 9:55am

I think that you have for the openwrt two WLAN names , one for the relay mode and one for the box

in relay mode i use only the relay WLAN name ( same as my master router )

exemple :
The master routeur WLAN name is Livebox4 ( the same for relay ) IP : 192.168.1.1
The Openwrt box in relay mode IP is 192.168.1.231 ( or other .. )

If i connect the 192.168.1.231 i have the LUCI page, no problem

I have many little box's with OpenWrt in relay mode and no problems

GL-MT300V2%20-%20DLNA%20-%20Copie

eduperez · October 7, 2018, 5:36pm

I can reach my "repeater" from any computer on any network segment; I was suggesting to use the WAN port just as an emergency port. My device does not have any 192.168.2.0/24 network configured, just the 192.168.1.0/24 network as a DHCP client, and can be reached from any computer, once it acquires an IP address from the main router.

accelerate · October 8, 2018, 1:38pm

@F5BJR
I have the same setup as you. Connecting to the LUCI page does work from everywhere, just not when I am directly connected to the repeater. This is also supposed to be like this according to the wiki:

Accessing the LEDE device
With this setup your LEDE device itself may only be accessible from those computers directly connected to the W-LAN AP, not from the ones connected to the LEDE W-LAN client only, when in the 192.168.1.0 subnet. It is however still possible to access the LEDE box via its 192.168.2.1 address, when you are in that subnet. One way of being in both subnets at the same time with a Linux client is by adding a second, a virtual network interface to /etc/network/interfaces:

My question was just why it is like that and if there isn't a better solution.

@eduperez
Maybe this will do the trick, but the disadvantage here will be though that the repeater won't have a static IP address and it won't be out of the DHCP pool.

Thank you for your help and patience. I think this topic can be closed.

eduperez · October 8, 2018, 2:45pm

Well, you can always configure the main route to issue the same IP address to the repeater. But I do not see why you cannot configure it with a fixed IP address in the same segment as the main router, or how is this related to not being able to reach the device. I think we are mixing different issues here, or perhaps I didn't understand what is the problem you are experiencing.

F5BJR · October 8, 2018, 5:14pm

In the documentation it is well indicated that if one wants a direct access on a LAN port it is necessary to use another subnet like 192.168.2.xxx
Ditto for DHCP to be disabled
It works well

accelerate · October 9, 2018, 1:01pm

setup

To make this more clear, attached my setup.

What does work:
Connecting to the web interface of the repeater(10.0.0.200) from Client 2.

What doesn't work:
Opening the web interface of the repeater(10.0.0.200) from Client 1.

eduperez · October 9, 2018, 3:32pm

That should work... Please share your config files here (network, firewall, and uhttpd).

accelerate · October 15, 2018, 4:47pm

All config files are available for download here: https://www.dropbox.com/s/2n4zza4o925mjto/config.zip?dl=0

I reconfigured the device, so here is the updated schematic:
setup2

eduperez · October 15, 2018, 8:03pm

Shouldn't your firewall be configured to accept forwarding between interfaces (https://wiki.openwrt.org/doc/recipes/relayclient)?

accelerate · October 16, 2018, 7:25am

The firewall was completely disabled in my case. Tried to enable it with everything allowed, but still doesn't work.
There is still this explanation in the wiki:

Accessing the LEDE device
With this setup your LEDE device itself may only be accessible from those computers directly connected to the W-LAN AP, not from the ones connected to the LEDE W-LAN client only, when in the 192.168.1.0 subnet. It is however still possible to access the LEDE box via its 192.168.2.1 address, when you are in that subnet. One way of being in both subnets at the same time with a Linux client is by adding a second, a virtual network interface to /etc/network/interfaces:

So maybe it is just not possible in that way?

F5BJR · October 16, 2018, 3:58pm

accelerate ->

in your image where are the links lan (wired) and wifi (not wired)?

in relay mode all the wifi connections must use the same name (that of the main router)

my network file ( same model for all relay box's in relay mode - master wifi is 192.168.1.1 ):

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd6c:739e:cff5::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.2.234' -> others box are by exemple 192.168.2.233
        option ifname 'eth0'

config interface 'stabridge'
        option proto 'relay'
        list network 'lan'
        list network 'wwan'
        option delegate '0'
        option ipaddr '192.168.3.234' -> not important can remove

config interface 'wwan'
        option proto 'static'
        option ipaddr '192.168.1.234' -> others box are by exemple 192.168.1.233
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option dns '192.168.1.1 8.8.8.8'
        option broadcast '192.168.1.255'

vgaetera · October 16, 2018, 11:16am

If you really need transparent routing, may be just use it without relayd?