Cannot access Dumb AP from gateway

maddie · January 13, 2020, 2:04am

I have a Raspberry Pi 3 and an Archer C7 in my network, both running OpenWRT 19.0.7 stable release. I was running some VPN services on the C7 but its performance is terrible for these workloads so I used the RPi3 as a gateway instead, and use the C7 as a Dumb AP.

I have set the C7 as a Dumb AP as instructed in the OpenWRT documentation, and it's working well for wired/wireless clients. However, the C7 and all clients connected to it cannot be accessed from the gateway.

The gateway has the IP address 192.168.1.254, and the C7 has the address 192.168.1.1. When I use tcpdump on both devices and do pings from the gateway to the C7, I can see that the ICMP requests came through and got replied, however the source IP address in both tcpdump shows 192.168.1.1 instead of the correct 192.168.1.254. Using ping -I 192.168.1.254 from the gateway gives the same result.

Is there any misconfiguration on my side, or is this just a side effect of Dumb AP?

FWIW, here's the log:

RPi3 (gateway, 192.168.1.254):

10:03:11.710385 IP (tos 0x0, ttl 64, id 30938, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.1.1: ICMP echo request, id 34832, seq 2, length 64

C7 (dumb AP, 192.168.1.1):

10:03:09.009285 IP (tos 0x0, ttl 64, id 30938, offset 0, flags [DF], proto ICMP (1), length 84)
    192.168.1.1 > 192.168.1.1: ICMP echo request, id 34832, seq 2, length 64

The source IP from the gateway should have been 192.168.1.254, instead of 192.168.1.1

Any ideas?

EDIT: Below is tcpdump for SSH'ing from gateway to dumb AP:

Gateway:

10:15:02.665431 IP (tos 0x0, ttl 64, id 10585, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.1.35246 > 192.168.1.1.22: Flags [S], cksum 0xa781 (incorrect -> 0xfaaf), seq 2926678593, win 29200, options [mss 1460,sackOK,TS val 3523254132 ecr 0,nop,wscale 7], length 0
10:15:03.679152 IP (tos 0x0, ttl 64, id 10586, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.1.35246 > 192.168.1.1.22: Flags [S], cksum 0xa781 (incorrect -> 0xf6b9), seq 2926678593, win 29200, options [mss 1460,sackOK,TS val 3523255146 ecr 0,nop,wscale 7], length 0

Dumb AP:

tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
10:14:59.954530 IP (tos 0x0, ttl 64, id 10585, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.1.35246 > 192.168.1.1.22: Flags [S], cksum 0xfaaf (correct), seq 2926678593, win 29200, options [mss 1460,sackOK,TS val 3523254132 ecr 0,nop,wscale 7], length 0
10:15:00.968196 IP (tos 0x0, ttl 64, id 10586, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.1.35246 > 192.168.1.1.22: Flags [S], cksum 0xf6b9 (correct), seq 2926678593, win 29200, options [mss 1460,sackOK,TS val 3523255146 ecr 0,nop,wscale 7], length 0

ahmar16 · January 13, 2020, 10:25am

Could this be that OpenWrt thinks that 192.168.1.1 is the actual gateway for LAN network? I am not sure about this. Is it possible that you left the Firewall running on your Dumb AP?

Jack007 · January 13, 2020, 11:55am

Just a thought; did you tell the AP that the gateway is located at 192.168.1.254?

ulmwind · January 13, 2020, 3:23pm

It looks like mess with IP addresses. Can you login to RPi and AP from wireless client of AP?

maddie · January 13, 2020, 3:48pm

I'm pretty sure that I've set the gateway IP on the AP correctly. Both gateway and AP has access to Internet via the gateway.

maddie · January 13, 2020, 3:48pm

Yes, the AP has Internet access through the gateway.

maddie · January 13, 2020, 3:50pm

Yes, I can log into both RPi and AP just fine via wireless. It's just that the reverse direction (from gateway to AP) doesn't work. Everything from the AP side works just fine.

The reason I need this to work is that sometimes I'll have to remote into the machines inside this network, all of which are connected to the AP instead of the RPi. If I'm unable to access anything under the AP from the gateway, then I won't be able to remote into these machines.

mk24 · January 13, 2020, 4:04pm

To use the RPI as a gateway means that it has two network interfaces and one is your connection to the Internet. Is that indeed the case?

A dumb AP should have only one network: lan, and an IP on the LAN that is unique. Its default route is to the gateway.

It looks like both devices are holding 192.168.1.1 on one of their interfaces. This will not work.

ulmwind · January 13, 2020, 4:57pm

What is IP of RPi and what is IP of AP?

ahmar16 · January 13, 2020, 7:59pm

I think you are looking for this.

ulmwind · January 13, 2020, 8:14pm

I've seen it, but there is strange behavior, that's why I asked once more.

maddie · January 14, 2020, 12:12am

As I have said in the post, they have different IPs and clients under the AP can access both of them just fine. The strange behavior is somehow on the gateway side, its own source IP was being rewritten as 192.168.1.1, which should have been 192.168.1.254

maddie · January 14, 2020, 12:14am

The RPi has IP 192.168.1.254, as a gateway.
The C7 has IP 192.168.1.1, as dumb AP.

Wired/wireless clients connected via the C7 and access both RPi and C7.
RPi itself, and I suspect, though not tested, the clients connected directly to the gateway, cannot access the C7 and anything under it.

ahmar16 · January 14, 2020, 7:53am

Is there a specific reason that you are choosing to have the base IP 192.168.1.1 assigned to the Dumb AP instead of the gateway? Things may get smoother if IPs were reversed. Anyway the current situation should work and there could be something that is wrong. Could you post the network config here from both routers?

ulmwind · January 14, 2020, 8:43am

OK, please, give output from RPi:

ip a s
ip route
ip rule show
ip route show table all

maddie · January 14, 2020, 9:05am

No specific reason really.. but this set up should work. I'm gonna post the network config in the next reply to ulmwind.

maddie · January 14, 2020, 9:15am

So actually my subnet is 192.168.19.x, I was changing it to 192.168.1.x in the post for easier reading. Here are the outputs:

ip a s:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether b8:27:eb:b3:97:dc brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0e:c6:cd:4a:f1 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.4/24 brd 192.168.1.255 scope global eth1
       valid_lft forever preferred_lft forever
    inet6 fe80::20e:c6ff:fecd:4af1/64 scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel master br-lan state UP group default qlen 1000
    link/ether b8:27:eb:e6:c2:89 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::ba27:ebff:fee6:c289/64 scope link
       valid_lft forever preferred_lft forever
5: tinc: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none
    inet 192.168.248.9/24 brd 192.168.248.255 scope global tinc
       valid_lft forever preferred_lft forever
    inet6 fe80::f83d:cc35:3378:f81d/64 scope link stable-privacy
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether b8:27:eb:b3:97:dc brd ff:ff:ff:ff:ff:ff
    inet 192.168.19.254/24 brd 192.168.19.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 240e:fe:2d1d:e100::1/60 scope global dynamic noprefixroute
       valid_lft 2343sec preferred_lft 2343sec
    inet6 fd2b:e19c:4869::1/60 scope global noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::ba27:ebff:feb3:97dc/64 scope link
       valid_lft forever preferred_lft forever
7: pppoe-wan: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1492 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 100.64.21.133 peer 100.64.0.1/32 scope global pppoe-wan
       valid_lft forever preferred_lft forever
    inet6 240e:fa:ed:5e84:20e:c602:36cd:4af1/64 scope global dynamic noprefixroute
       valid_lft 2591942sec preferred_lft 604742sec
    inet6 fe80::20e:c602:36cd:4af1/10 scope link
       valid_lft forever preferred_lft forever

ip route:

default via 100.64.0.1 dev pppoe-wan proto static
10.0.0.0/8 via 192.168.248.9 dev tinc proto static
100.64.0.1 dev pppoe-wan proto kernel scope link src 100.64.21.133
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.4
192.168.18.0/24 via 192.168.248.9 dev tinc proto static
192.168.19.0/24 dev br-lan proto kernel scope link src 192.168.19.254
192.168.20.0/24 via 192.168.248.9 dev tinc proto static
192.168.22.0/24 via 192.168.248.9 dev tinc proto static
192.168.33.0/24 via 192.168.248.9 dev tinc proto static
192.168.104.0/22 via 192.168.248.9 dev tinc proto static
192.168.108.0/22 via 192.168.248.9 dev tinc proto static
192.168.109.0/24 via 192.168.248.9 dev tinc proto static
192.168.110.0/24 via 192.168.248.9 dev tinc proto static
192.168.111.0/24 via 192.168.248.9 dev tinc proto static
192.168.248.0/24 via 192.168.248.9 dev tinc proto static

ip rule show:

0:	from all lookup local
32765:	from all fwmark 0x1 lookup 100  <-- this is transparent proxy mark for v2ray
32766:	from all lookup main
32767:	from all lookup default

ip r s table all:

local default dev lo table 100 scope host
default via 100.64.0.1 dev pppoe-wan proto static
10.0.0.0/8 via 192.168.248.9 dev tinc proto static
100.64.0.1 dev pppoe-wan proto kernel scope link src 100.64.21.133
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.4
192.168.18.0/24 via 192.168.248.9 dev tinc proto static
192.168.19.0/24 dev br-lan proto kernel scope link src 192.168.19.254
192.168.20.0/24 via 192.168.248.9 dev tinc proto static
192.168.22.0/24 via 192.168.248.9 dev tinc proto static
192.168.33.0/24 via 192.168.248.9 dev tinc proto static
192.168.104.0/22 via 192.168.248.9 dev tinc proto static
192.168.108.0/22 via 192.168.248.9 dev tinc proto static
192.168.109.0/24 via 192.168.248.9 dev tinc proto static
192.168.110.0/24 via 192.168.248.9 dev tinc proto static
192.168.111.0/24 via 192.168.248.9 dev tinc proto static
192.168.248.0/24 via 192.168.248.9 dev tinc proto static
local 100.64.21.133 dev pppoe-wan table local proto kernel scope host src 100.64.21.133
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.4
local 192.168.1.4 dev eth1 table local proto kernel scope host src 192.168.1.4
broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.4
broadcast 192.168.19.0 dev br-lan table local proto kernel scope link src 192.168.19.254
local 192.168.19.254 dev br-lan table local proto kernel scope host src 192.168.19.254
broadcast 192.168.19.255 dev br-lan table local proto kernel scope link src 192.168.19.254
broadcast 192.168.248.0 dev tinc table local proto kernel scope link src 192.168.248.9
local 192.168.248.9 dev tinc table local proto kernel scope host src 192.168.248.9
broadcast 192.168.248.255 dev tinc table local proto kernel scope link src 192.168.248.9
default from 240e:fa:ed:5e84::/64 via fe80::3826:69ff:fe15:ff25 dev pppoe-wan proto static metric 512 pref medium
default from 240e:fe:2d1d:e100::/56 via fe80::3826:69ff:fe15:ff25 dev pppoe-wan proto static metric 512 pref medium
240e:fa:ed:5e84::/64 dev pppoe-wan proto static metric 256 pref medium
240e:fe:2d1d:e100::/64 dev br-lan proto static metric 1024 pref medium
unreachable 240e:fe:2d1d:e100::/56 dev lo proto static metric 2147483647 error 4294967183 pref medium
fd2b:e19c:4869::/64 dev br-lan proto static metric 1024 pref medium
unreachable fd2b:e19c:4869::/48 dev lo proto static metric 2147483647 error 4294967183 pref medium
fe80::/64 dev tinc proto kernel metric 256 pref medium
fe80::/64 dev br-lan proto kernel metric 256 pref medium
fe80::/64 dev wlan0 proto kernel metric 256 pref medium
fe80::/64 dev eth1 proto kernel metric 256 pref medium
fe80::/10 dev pppoe-wan metric 1 pref medium
fe80::/10 dev pppoe-wan proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
anycast 240e:fa:ed:5e84:: dev pppoe-wan table local proto kernel metric 0 pref medium
local 240e:fa:ed:5e84:20e:c602:36cd:4af1 dev pppoe-wan table local proto kernel metric 0 pref medium
anycast 240e:fe:2d1d:e100:: dev br-lan table local proto kernel metric 0 pref medium
local 240e:fe:2d1d:e100::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fd2b:e19c:4869:: dev br-lan table local proto kernel metric 0 pref medium
local fd2b:e19c:4869::1 dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev tinc table local proto kernel metric 0 pref medium
anycast fe80:: dev br-lan table local proto kernel metric 0 pref medium
anycast fe80:: dev wlan0 table local proto kernel metric 0 pref medium
anycast fe80:: dev eth1 table local proto kernel metric 0 pref medium
anycast fe80:: dev pppoe-wan table local proto kernel metric 0 pref medium
local fe80::20e:c602:36cd:4af1 dev pppoe-wan table local proto kernel metric 0 pref medium
local fe80::20e:c6ff:fecd:4af1 dev eth1 table local proto kernel metric 0 pref medium
local fe80::ba27:ebff:feb3:97dc dev br-lan table local proto kernel metric 0 pref medium
local fe80::ba27:ebff:fee6:c289 dev wlan0 table local proto kernel metric 0 pref medium
local fe80::f83d:cc35:3378:f81d dev tinc table local proto kernel metric 0 pref medium
ff00::/8 dev br-lan table local metric 256 pref medium
ff00::/8 dev tinc table local metric 256 pref medium
ff00::/8 dev wlan0 table local metric 256 pref medium
ff00::/8 dev eth1 table local metric 256 pref medium
ff00::/8 dev pppoe-wan table local metric 256 pref medium

EDIT: Some more info:

eth0 is the interface that serves the LAN (DHCP, DNS etc), and eth1 is the interface that connects to WAN

The 192.168.1.x IP address was obtained via DHCP from the WAN router, which is used for accessing its management web UI. It doesn't affect the network in any way.

The problem I'm having now is, the source IP was being rewritten to 192.168.19.1 on the RPi gateway, which should have been 192.168.19.254.

ulmwind · January 14, 2020, 9:44am

192.168.1.4 is configured as 192.168.19.254
It is strange behavior, because src equals 192.168.19.254
Please, check once more, that IP of AP equals 192.168.19.1 You've created mess, so it is not easy to find mistake.

Please, give also output of
iptables -S -t mangle
but it is optional.

maddie · January 14, 2020, 9:59am

Yes, I'm sure the AP has 192.168.19.1, ip a s output on the AP:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP qlen 1000
    link/ether 50:d4:f7:b4:f0:0d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52d4:f7ff:feb4:f00d/64 scope link
       valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 50:d4:f7:b4:f0:0d brd ff:ff:ff:ff:ff:ff
    inet 192.168.19.1/24 brd 192.168.19.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 fe80::52d4:f7ff:feb4:f00d/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:d4:f7:b4:f0:0d brd ff:ff:ff:ff:ff:ff
8: eth0.2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:d4:f7:b4:f0:0e brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52d4:f7ff:feb4:f00e/64 scope link
       valid_lft forever preferred_lft forever
9: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:d4:f7:b4:f0:0d brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52d4:f7ff:feb4:f00d/64 scope link
       valid_lft forever preferred_lft forever
10: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether 50:d4:f7:b4:f0:0c brd ff:ff:ff:ff:ff:ff
    inet6 fe80::52d4:f7ff:feb4:f00c/64 scope link
       valid_lft forever preferred_lft forever

iptables -S -t mangle on RPi:

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N V2RAY
-N V2RAY_MASK
-A PREROUTING -i br-lan -j V2RAY
-A PREROUTING -m mark --mark 0x1 -j V2RAY
-A FORWARD -o pppoe-wan -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: Zone wan MTU fixing" -j TCPMSS --clamp-mss-to-pmtu
-A OUTPUT -j V2RAY_MASK
-A V2RAY -m mark --mark 0xff -j RETURN
-A V2RAY -d 192.168.19.254/32 -p udp -m udp --dport 53 -j TPROXY --on-port 12345 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A V2RAY -m set --match-set v2ray_dst_direct_v4 dst -j RETURN
-A V2RAY -p tcp -j TPROXY --on-port 12345 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A V2RAY -p udp -j TPROXY --on-port 12345 --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A V2RAY_MASK -m mark --mark 0xff -j RETURN
-A V2RAY_MASK -m set --match-set v2ray_dst_direct_v4 dst -j RETURN
-A V2RAY_MASK -p tcp -j MARK --set-xmark 0x1/0xffffffff
-A V2RAY_MASK -p udp -j MARK --set-xmark 0x1/0xffffffff

ahmar16 · January 14, 2020, 10:04am

I think the underlying problem is in your config. If you can post the config then someone can spot the issue.