Build a WiFi Client bridge over Atheros 5213 via iptables

Hi All,

  1. Environment: Atheros5213, Openwrt (customisable), wpa_supplicant is already installed,

  2. Target: To build a WiFi client bridge as below with MASQUERADE or Routing solution as below via a suggestion https://openwrt.org/docs/guide-user/network/routedclient#routed_client

  1. As pictured above, I could ping from PC (172.16.2.136) to the WiFi client (172.16.2.132), and vice versa; as well, I could ping from WiFi client (172.16.3.133) to the access point (172.16.3.28) and vice versa. However, I couldn't ping from PC(172.16.2.136) to WiFi client (172.16.3.133). I hook up a tcpdump in lan interface, seems that ARP from 172.16.2.136 already arrives in lan as below, however there is nothing if I tcpdump the wan interface.

07:07:23.834236 ARP, Request who-has 172.16.3.133 tell 172.16.2.136, length 46

So, seems that there is an issue for forwarding from zone "lan" to zone "wan". Could anyone tell me what is happening and how to deal with it? Thanks.

  1. FYI, my setting in the WiFi client with Routing solution as below,
    4.1 wireless
config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/qca953x_wmac'
        option htmode 'HT20'
        option disabled '0'
        option country 'AU'
        option txpower '20'
        option diversity '0'
        option txantenna '1'
        option rxantenna '1'

config wifi-iface 'wan'
        option device 'radio1'
        option ifname 'wwan'
        option network 'wwan'
        option mode 'sta'
        option ssid 'aaaa'
        option encryption 'psk2+aes'
        option key 'xxxxxxx'
        option disabled '0'

4.2 network

config interface 'loopback'
        option ifname     'lo'
        option proto      'static'
        option ipaddr     '127.0.0.1'
        option netmask    '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdf6:ecf3:fbe7::/48'

config interface 'wwan'
        option proto     'static'
        option ipaddr    '172.16.3.133'
        option netmask   '255.255.255.0'

config interface 'lan'
        option ifname    'eth0'
        option type      'bridge'
        option ip6assign '60'
        option proto    'static'
        option ipaddr   '172.16.2.132'
        option netmask  '255.255.255.0'
        option delegate '0'

4.3 firewall

config defaults
        option input            'ACCEPT'
        option output           'ACCEPT'
        option forward          'ACCEPT'

config zone
        option name             'lan'
        option network          'lan'
        option input            'ACCEPT'
        option output           'ACCEPT'
        option forward          'DROP'
        option mtu_fix          '1'
        option log              '1'

config zone
        option name             'wan'
        option network          'wwan'
        option input            'DROP'
        option output           'ACCEPT'
        option forward          'DROP'
        option mtu_fix          '1'
        option log              '1'

config forwarding
        option src              'lan'
        option dest             'wan'

config forwarding
        option src              'wan'
        option dest             'lan'


config include
        option path '/etc/firewall.user'

config rule
        option dest              '*'
        list   proto             'all'
        option target            'ACCEPT'
        option src               '*'

The result of command "iptables -vnL" as below,

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   25  1592 delegate_input  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 delegate_forward  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   24  1560 delegate_output  all  --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 LOGGING    all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain LOGGING (3 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 100/min burst 5 LOG flags 0 level 7
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain delegate_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* @rule[0] */
    0     0 zone_lan_forward  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    0     0 zone_wan_forward  all  --  wwan   *       0.0.0.0/0            0.0.0.0/0

Chain delegate_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
   15  1020 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
   10   572 input_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    1    32 zone_lan_input  all  --  br-lan *       0.0.0.0/0            0.0.0.0/0
    9   540 zone_wan_input  all  --  wwan   *       0.0.0.0/0            0.0.0.0/0

Chain delegate_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
   15  1020 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
    9   540 output_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 zone_lan_output  all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0
    9   540 zone_wan_output  all  --  *      wwan    0.0.0.0/0            0.0.0.0/0

Chain forwarding_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain forwarding_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain input_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_lan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain output_wan_rule (1 references)
 pkts bytes target     prot opt in     out     source               destination

Chain reject (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 REJECT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with tcp-reset
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Chain zone_lan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "REJECT(dest lan)"
    0     0 reject     all  --  *      br-lan  0.0.0.0/0            0.0.0.0/0

Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding lan -> wan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_lan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    32 input_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    1    32 zone_lan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 output_lan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_lan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    1    32 ACCEPT     all  --  br-lan *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_dest_ACCEPT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    9   540 ACCEPT     all  --  *      wwan    0.0.0.0/0            0.0.0.0/0

Chain zone_wan_dest_REJECT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "REJECT(dest wan)"
    0     0 reject     all  --  *      wwan    0.0.0.0/0            0.0.0.0/0

Chain zone_wan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 forwarding_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for forwarding */
    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding wan -> lan */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port forwards */
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_input (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   540 input_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for input */
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ctstate DNAT /* Accept port redirections */
    9   540 zone_wan_src_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_output (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   540 output_wan_rule  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* user chain for output */
    9   540 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Chain zone_wan_src_ACCEPT (1 references)
 pkts bytes target     prot opt in     out     source               destination
    9   540 ACCEPT     all  --  wwan   *       0.0.0.0/0            0.0.0.0/0

Continue...

(1) bridge firewalling is enabled as below,
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
already set in sysctl.conf and sync with sysctl -p

(2) per my debug, the br-netfilter is also registered in kernel.

Please let me know your thought. Thanks.