JamesSu
December 14, 2020, 6:37am
1
Hi All,
Environment: Atheros5213, Openwrt (customisable), wpa_supplicant is already installed,
Target: To build a WiFi client bridge as below with MASQUERADE or Routing solution as below via a suggestion https://openwrt.org/docs/guide-user/network/routedclient#routed_client
As pictured above, I could ping from PC (172.16.2.136) to the WiFi client (172.16.2.132), and vice versa; as well, I could ping from WiFi client (172.16.3.133) to the access point (172.16.3.28) and vice versa. However, I couldn't ping from PC(172.16.2.136) to WiFi client (172.16.3.133). I hook up a tcpdump in lan interface, seems that ARP from 172.16.2.136 already arrives in lan as below, however there is nothing if I tcpdump the wan interface.
07:07:23.834236 ARP, Request who-has 172.16.3.133 tell 172.16.2.136, length 46
So, seems that there is an issue for forwarding from zone "lan" to zone "wan". Could anyone tell me what is happening and how to deal with it? Thanks.
FYI, my setting in the WiFi client with Routing solution as below,
4.1 wireless
config wifi-device 'radio1'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'platform/qca953x_wmac'
option htmode 'HT20'
option disabled '0'
option country 'AU'
option txpower '20'
option diversity '0'
option txantenna '1'
option rxantenna '1'
config wifi-iface 'wan'
option device 'radio1'
option ifname 'wwan'
option network 'wwan'
option mode 'sta'
option ssid 'aaaa'
option encryption 'psk2+aes'
option key 'xxxxxxx'
option disabled '0'
4.2 network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdf6:ecf3:fbe7::/48'
config interface 'wwan'
option proto 'static'
option ipaddr '172.16.3.133'
option netmask '255.255.255.0'
config interface 'lan'
option ifname 'eth0'
option type 'bridge'
option ip6assign '60'
option proto 'static'
option ipaddr '172.16.2.132'
option netmask '255.255.255.0'
option delegate '0'
4.3 firewall
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'lan'
option network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'DROP'
option mtu_fix '1'
option log '1'
config zone
option name 'wan'
option network 'wwan'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option mtu_fix '1'
option log '1'
config forwarding
option src 'lan'
option dest 'wan'
config forwarding
option src 'wan'
option dest 'lan'
config include
option path '/etc/firewall.user'
config rule
option dest '*'
list proto 'all'
option target 'ACCEPT'
option src '*'
JamesSu
December 14, 2020, 12:20pm
2
The result of command "iptables -vnL" as below,
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
25 1592 delegate_input all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 delegate_forward all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
24 1560 delegate_output all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 LOGGING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOGGING (3 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 100/min burst 5 LOG flags 0 level 7
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain delegate_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* @rule[0] */
0 0 zone_lan_forward all -- br-lan * 0.0.0.0/0 0.0.0.0/0
0 0 zone_wan_forward all -- wwan * 0.0.0.0/0 0.0.0.0/0
Chain delegate_input (1 references)
pkts bytes target prot opt in out source destination
15 1020 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
10 572 input_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
1 32 zone_lan_input all -- br-lan * 0.0.0.0/0 0.0.0.0/0
9 540 zone_wan_input all -- wwan * 0.0.0.0/0 0.0.0.0/0
Chain delegate_output (1 references)
pkts bytes target prot opt in out source destination
15 1020 ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
9 540 output_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 zone_lan_output all -- * br-lan 0.0.0.0/0 0.0.0.0/0
9 540 zone_wan_output all -- * wwan 0.0.0.0/0 0.0.0.0/0
Chain forwarding_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_rule (1 references)
pkts bytes target prot opt in out source destination
Chain forwarding_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_rule (1 references)
pkts bytes target prot opt in out source destination
Chain input_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_lan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_rule (1 references)
pkts bytes target prot opt in out source destination
Chain output_wan_rule (1 references)
pkts bytes target prot opt in out source destination
Chain reject (2 references)
pkts bytes target prot opt in out source destination
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 reject-with tcp-reset
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain zone_lan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * br-lan 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "REJECT(dest lan)"
0 0 reject all -- * br-lan 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding lan -> wan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_lan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_input (1 references)
pkts bytes target prot opt in out source destination
1 32 input_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
1 32 zone_lan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_output (1 references)
pkts bytes target prot opt in out source destination
0 0 output_lan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_lan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
1 32 ACCEPT all -- br-lan * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_dest_ACCEPT (2 references)
pkts bytes target prot opt in out source destination
9 540 ACCEPT all -- * wwan 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_dest_REJECT (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix "REJECT(dest wan)"
0 0 reject all -- * wwan 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_forward (1 references)
pkts bytes target prot opt in out source destination
0 0 forwarding_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for forwarding */
0 0 zone_lan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* forwarding wan -> lan */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port forwards */
0 0 zone_wan_dest_REJECT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_input (1 references)
pkts bytes target prot opt in out source destination
9 540 input_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for input */
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate DNAT /* Accept port redirections */
9 540 zone_wan_src_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_output (1 references)
pkts bytes target prot opt in out source destination
9 540 output_wan_rule all -- * * 0.0.0.0/0 0.0.0.0/0 /* user chain for output */
9 540 zone_wan_dest_ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain zone_wan_src_ACCEPT (1 references)
pkts bytes target prot opt in out source destination
9 540 ACCEPT all -- wwan * 0.0.0.0/0 0.0.0.0/0
JamesSu
December 16, 2020, 12:57pm
3
Continue...
(1) bridge firewalling is enabled as below,
net.bridge.bridge-nf-call-arptables=1
net.bridge.bridge-nf-call-ip6tables=1
net.bridge.bridge-nf-call-iptables=1
already set in sysctl.conf and sync with sysctl -p
(2) per my debug, the br-netfilter is also registered in kernel.
Please let me know your thought. Thanks.