AP+Sta on dual-band router, or Relay - from a third party router to OpenWrt

I have Asus RT-AC66U as main router connected to ISP modem-router in bridge mode, and currently is the active AP in the house. It's running Tomato for the time being (I know it's not considered secure, but I need the bandwidth monitoring for now. My future plans involve either swapping it for an OpenWrt router or trying to build an image for it using new kernel).

Anyway, as the phone socket is inconveniently placed, I get some devices that are often unhappy with 2.4 Ghz not to mention the 5 GHz--namely a TV and an iPhone.

The TV mainly runs offline content, so I currency have it wired to Archer C7 V2 running OpenWrt serving a HDD by miniDLNA. The router isn't on the "main" network and has no internet source, so when I want to manage it or add files to the HDD, I hook a USB WiFi dongle to m PC and connect to Archer WiFi. This works though not very convenient of course.

And then there is the iPhone that seems to be unhappy with the range to the Asus router. So I was thinking of setting the Archer as a client of the Asus, then it can be wired to the TV and also giving internet to the iPhone.

With the two routers have different chips and different firmwares, I imagine the WDS is a no. I previously tried the relay configuration https://openwrt.org/docs/guide-user/network/wifi/relay_configuration but experienced intermittent connection between the two routers. (I was doing it on the 5 GHz band to be honest, so maybe I should have tried 2.4 GHz as well), but anyway I came across the AP+Sta configuration https://openwrt.org/docs/guide-user/network/wifi/relay_configuration and was thinking I should give it a try (or re-visit the Relay configuration, on 2.4 GHz this time). Though, before starting missing around with a working system(s) in different directions, I have couple of questions:

  • Given the difference in hardware and firmware between the two routers, is any of the two configurations (relay vs AP+Sta) has better chances of working smoothly? I imagine that they both connect to the other router the same way, but thought of checking.
  • I am aware of the issue with the no AP when WWAN AP isn't available (and that there is a work around). But does the AP go off only for that band, or will APs on all bands? I mean if I use the 5 GHz for the WWAN and the router loses connection to the other router, will the 2.4 GHz AP go off as well? I am also aware of travelmate, but if I can do without that's better.
  • Are there any other configuration that could work for me? I don't care if the router will create it's subnet or not, as long as it will be feasible for me to access one from my PC while connected to the other's AP.

Thanks!

Power-line modem perhaps, if you can't run Ethernet.

While the four-address packets are part of the 802.11 standard, how they are used, as far as I know, isn't. If WDS doesn't work and Tomato supports advanced networking, such as GRE or VPN bridging, that might be another option.

The Asus RT-AC66U uses Broadcom softmac wireless cards (BCM4360 and BCM4331), neither are (sufficiently) supported by free drivers (or OpenWrt), which means Tomato uses the proprietary Broadcom drivers for them. WDS/ 4addr as used by mainline mac80211 based drivers is not compatible with Broadcom's proprietary equivalent, leaving the routed client scenario with relayd as the only (sub-optimal) solution.

2 Likes

Thanks.

Sorry, a question that might reveal some of my ignorance: how different is the AP+Sta configuration from the relayd? Don't they handle the connection between the two routers similarly?

"AP+Sta" just means that the router is a client of another AP, as well as offering an AP to other clients. How one chooses to use those two connections is the heart of the matter.

One of the "problems" many people face is that they want the clients to be on the same subnet that the main AP is offering for on-link services such as mDNS, or Windows browsing. Something like relayd "fakes it", at least for IPv4, by "spoofing" those on-link requests and responses from one subnet to another.

With L2 bridging, it just works, but the options for L2 bridging are limited for routers without the flexibility, sophistication, and configurability of OpenWrt.

1 Like

Thanks @jeff
So effectively what's in the relayd as described here https://openwrt.org/docs/guide-user/network/wifi/relay_configuration is essentially what's here https://openwrt.org/docs/guide-user/network/wifi/ap_sta plus faking the same subnet?

OK all clear now. I will give it another try on 2.4 then.

OK so I tried relayd, and now I remember what happened when I tried it couple of weeks ago. The OpenWrt (client) router has internet connection, I can access it via the WWAN address (192.168.1.2) when i am connected to the main AP, and the LAN address (192.168.2.1) when I'm connected to its AP.

I seem to have issues with DHCP and DNS, though for some devices I was able to have internet connections via the OpenWrt AP when settings a static DHCP and DNS. I tried setting the LAN IP to static and also putting the IP of the main router as the DHCP gateway and DNS at the WWAN interface, but still it doesn't seem to "relay" that to the the clients of OpenWrt AP.

Anyway, I know I was warned, so I guess it's what it's.

But what was disappinting is that I couldn't have SSH or SCP access via the WWAN IP when connected to main AP, and I couldn't access SMB share either. WWAN is on the same firewall zone as LAN, and I can access the GUI via WWAN IP, so why not SSH or SMB?

As for the wireless clients of OpenWrt AP and that they don't get IPs for main router DHCP server, I thought of using trelay, but without documentations I don't even know what names to put for config in \etc\config\trelay (should it be the physical device name or the interface name or what.

Thanks

So I removed relayd (and the bridge interface) and installed trelay instead, based on No DHCP/broadcast forwarding using client with relayd pseudobridge. I got some error when trying to start the trelay service:

root@C7:~# service trelay start
sh: write error: Resource busy

Meanwhile, these are my config files. Do they make sense (particularly regarding the name of the devices I am bridging. Basically I want OpenWrt LAN clients and hopefully clients of AP "T" to have access.

/etc/config/network (WAN_IP, WAN6_IP and WAN_PPPoE interfaces are disabled)

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd65:9350:dea5::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option mtu '1420'
	option ifname 'eth1.1'
	option ipaddr '192.168.2.1'
	option stp '1'
	option igmp_snooping '1'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option vid '1'
	option ports '0t 2 3 4 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'
	option vid '2'

config interface 'WAN_IP'
	option proto 'dhcp'
	option ifname 'eth0.2'
	option clientid 'root'
	option auto '0'

config interface 'WAN6_IP'
	option proto 'dhcpv6'
	option ifname 'eth0.2'
	option reqaddress 'try'
	option reqprefix 'auto'
	option clientid 'root'
	option auto '0'

config interface 'WAN_PPPoE'
	option proto 'pppoe'
	option ifname 'eth0.2'
	option username '132dadad'
	option password '4473afafafdadafa'
	option ipv6 'auto'
	option mtu '1420'
	option auto '0'

config interface 'wwan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	option dns '192.168.1.1 8.8.8.8'
	option delegate '0'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:01/0000:01:00.0'
	option country 'US'
	option legacy_rates '1'
	option htmode 'HT20'
	option disabled '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/qca955x_wmac'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'
	option disabled '0'
	option channel '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'wwan'
	option ifname 'wwan'
	option mode 'sta'
	option ssid 'A'
	option bssid '60:A3'
	option encryption 'psk2'
	option key 'xyz'
	
config wifi-iface
	option device 'radio1'
	option network 'lan'
	option ifname 'wlan'
	option mode 'ap'
	option ssid 'T'
	option encryption 'psk2'
	option key 'xyz'

/etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option ra 'server'
	option dhcpv6 'server'
	option ra_management '1'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

/etc/config/firewall


config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan repeater_bridge wwan Replay Relay'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option input 'REJECT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 WAN_IP WAN6_IP WAN_PPPoE'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

/etc/config/trelay

config trelay
	option enabled	1
	option dev1	wwan
	option dev2	wlan

Edit: found out that DHCP was left on on LAN, so turned that off.
Also in /etc/config/trelay I turned enabled to 0 and now it seems like it doesn't mind service trelay start, though it doesn't give any errors if I start it more than once, so I don't know if it's actually running or not. service trelay status isn't working.

As for the system, I can now access the router form the LAN side only (via its AP of course not the main router's AP), it has internet. But other than this it's client get no internet and I can't access it form the WAN side via the main router's AP.

@ozon I see you got trelay to work. Would you be able to provide some help?

@misza97 Did you get it to work?