And that will put your interfaces under default policy, which is filter/FORWARD:DROP.
OK I disabled router advertisement. Still not working.
Does the LAN IP need to be within the subnet I'm trying to communicate with? I've tried it both ways and it doesn't work either way.
Subnet I'm trying to connect to is 192.168.123.xxx. I set LAN IP to 192.168.123.250. Wireless card set to 192.168.123.251. The moment I plug ethernet cord into LAN I lose connection to the router. Not sure why since both 250 and 251 are free IPs on the network.
What is the correct way to disable the firewall?
Either assign all interfaces to zone LAN, or set default filter/FORWARD policy to ACCEPT.
So I went to Create/Assign Firewall-Zone and selected the only green item, "lan". Now two symbols show up, a cord with a port, and a wireless symbol.
This seems like it enables the firewall. I need it disabled I believe since there is no internet access on this network, it is just a bunch of industrial machinery on ethernet.
Zone LAN is actually transparent including LAN-LAN forwarding.
You can disable and stop firewall service if you want, but I'm not sure if this option could survive update/reflash, so better do not rely on it too much.
I'm still in the same boat as before. Here are some symptoms -
LAN IP is set to 192.168.8.1. Wifi IP is set to 192.168.8.10. I can see the router fine and can ping it without issue. I plug the ethernet cable into the LAN port and attempt to ping 192.168.8.1.
Request Timed Out
Reply from 192.168.8.10: Destination Host Unreachable
Repy from 192.168.8.1: Bytes=32 time=2185ms TTL= 64
Repy from 192.168.8.1: Bytes=32 time=10ms TTL= 64
Sorry, I can only post one image. Here is my config -
I'm quite lost. So, I'll try to start from scratch:
- Reset device to factory defaults
- Disable DHCP
- Setup WiFi SSID
- Login to device and change LAN IP to 192.168.123.250 (You will have to hit "Apply unchecked" to proceed past the rollback warning)
- Plug upstream router into a LAN port
- Reset WiFi or Ethernet connection on client to get new IP from upstream router
- Done!
I don't think there is an upstream router. Just a bunch of switches.
If that's the case, it completely explains why you loose connectivity when you plug in.
I don't see what having an upstream router has to do with anything if I'm setting static IPs.
Only interface br-lan (LAN-network) should have an IP-address.
eth* and wlan* interfaces should become bridge-members and have only MAC-addresses.
I suggest to ssh to the router and configure it through the uci.
And make sure the changes applied correctly:
ip a; ip r; iptables-save
uci show network
uci show firewall
1 Like
This isn't making much sense.
It helps to have some idea what is on the other end of a cable before plugging it in to your stuff. If there is no router there, does it go to the Internet at all? Is your objective only to use the Internet, or do you want to / have to interact with devices in the LAN?
I would suggest putting both Ethernet ports on the AR-300 in the same bridge. Put the former WAN's port (either eth1 or eth0.2 depending on the hardware involved) into the lan along with eth0 or eth0.1. (You may also be able to do logically the same thing by reconfiguring the switch, but then you're using hardware switching and you don't know if the CPU is actually seeing the packets. In other words software bridge for troubleshooting, hardware switch for performance.)
Then you can remove the wifi as a variable. Leave one of the Ethernet ports connected to your PC and the other one to the network. Once wired is working, you should be able to switch on wifi and have it "just work".
The device's LAN IP address is used only to log into the OS and administer it. It also would like to have a proper gateway so it can set the internal clock (which is only software, there is no real-time keeping hardware) via NTP at boot-up.
Some people intentionally set a dumb AP's LAN IP outside the range normally used by the network in order to avoid conflicts and increase (perceived) security.
I like to DHCP everything it turns out to be considerably simpler-- as long as you can trust there will be a working DHCP and DNS server involved.
Looking into SSH now. When I said that Wifi IP was set to 192.168.8.10 I meant my wireless adapter on my PC.
This is an industrial network for automation equipment. There are HMIs, PLCs, Drives, Servos, etc that I know are on the network. I need to connect to those devices. There is no internet access. But I can't say for certain that someone on the other side of the facility has not plugged a device into the network that has DHCP enabled.
I plug an ethernet cable into the programming port and I can access all of my equipment. My dumb AP (purchased as a standalone AP) works fine and gives me wireless access. I can't get the AR300M to do this.
Reset the AR300M to factory defaults. Do not adjust the firewall.
Pick one of the following two diagrams, and configure your equipment to suit. My own LAN is configured per the second diagram: I have OpenWRT 18.06.1 connected with a single cable into the LAN interface, and the device acts as a WAP for my LAN. IP addressing is handled elsewhere.
One diagram puts the industrial network into the AR300M's WAN port. You may need to configure a static IP address on the WAN port, if the industrial network does not have a known, reliable DHCP server. If you need to permit unsolicited connections from the industrial network to your laptop, you may choose to open/forward ports on the AR300M.
The other diagram puts the industrial network into the AR300M's LAN port. Disable the AR300M's IPv4 DHCP server on the LAN interface. Disable all IPv6 features. Configure the AR300M's LAN interface with a static address in 192.168.123.0/24. Configure your laptop with a static address in 192.168.123.0/24, if the industrial network does not have a known, reliable DHCP server.
Whatever address scheme you end up using, make sure you do not conflict with any existing addresses. You will have problems connecting to equipment if you've duplicated any addresses.
I swear I have already done this but here goes attempt 49 or so.
Hard reset the device (hold reset for >10 seconds).
Open up Network -> Interfaces. Select "edit" under "LAN".
Set IP = 192.168.123.250, mask = 255.255.255.0
Disable IPV6 assignment length.
Disable DHCP.
Disable Router Advertisement Service
Disable DHCPV6 Service
Disable "use builtin IPV6 management"
Save & Apply.
Set wireless adapter on PC to 192.168.123.251, mask = 255.255.255.0
Reconnect to AR300M. Confirm all previous settings. System -> Reboot.
Reconnect, log back in and confirm settings.
Plug ethernet cable into LAN port. Ping AR300M. Get reply for the first time! Ping the hard-wired network device.
Reply = 2147ms
Reply = 13ms
Reply = 8ms
Reply = 524ms
Perform another ping and get an average of 10ms.
Next PING I get 42ms, 878ms, 2386ms, 6ms.
Try PINGing the AR300M. Average = 5ms.
Plug ethernet cord directly into PC. Perform another PING on the network device utilizing hard-wire.
Average = 1ms
What is the deal?
802.11 is slower than 802.3.
802.11 is always half-duplex. 802.3 can be, but isn't always.
802.11 is frequently affected by RF interference more than 802.3 is.
Take your pick. There are other possible causes as well.
But the important thing is that you're getting replies from the equipment, where you weren't before.
1 Like
If wireless were the problem wouldn't I be getting crazy delays when pinging the AR300M? Long ping times are only when I'm talking through the AR300M to the other network.
So I'm fast from my computer to the AR300M through wifi. I'm fast to the device on the network when using hard-wire. Some other issue seems to be the only explanation for why I'm slow when going through the AR300M.
Just to give everyone an update - I never got this to work properly at this site. I called the last technician to work at the facility and they had the exact same problem with their dumb AP that they use regularly at other sites. It just wouldn't work.
So it seems to have been something on this particular network interfering.