Cannot get data in and out of AP/switch via "WAN" side

So I got started with OpenWrt support for Linksys MX4200 - #1309 by stridhiryu03 and at this point I understand that I have a device running development software, I've got 2/3 of the radios on (which is fine since I don't think I have a device that can use the 3rd), I've got LuCi installed, I'll have ssh keys set up soon, and my proof of concept that I can get this thing to run OpenWRT before the return period expires is done.

What I cannot figure out how to do is set it up so that I can access it from "outside" of the "LAN" that the AP creates. If I connect a machine to a LAN port I can communicate with it, but I can't use the WAN port to get data in and out which means that machines connected to it can't access the whole subnet provided by the router or the internet.

I've gotten around this by connecting a switch to my router, my server to the switch, and the AP to the switch via one of the AP's LAN ports. That way, I can ssh to my server and then to the AP to get the following output.

So what I'm trying to figure out is what's wrong with my setup that isn't letting data go in and out of the AP/switch.

root@OpenWrt:/etc/config# cat network; hr; cat firewall 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd3c:ab99:848c::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config device
	option name 'lan1'
	option macaddr ''

config device
	option name 'lan2'
	option macaddr ''

config device
	option name 'lan3'
	option macaddr ''

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.120'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'
	list dns '192.168.1.1'
	list dns '1.0.0.1'
	list dns '8.8.8.8'

config interface 'wan'
	option device 'wan'
	option proto 'none'

config interface 'wan6'
	option device 'wan'
	option proto 'none'

config device
	option name 'phy0-ap0'

config device
	option name 'phy1-ap0'

######################################################################################################################

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow SSH from WAN'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'
	option dest 'lan'
	list dest_ip '192.168.1.120'
	option enabled '0'

config rule
	option name 'Allow HTTP/HTTPS from LAN'
	option src 'wan'
	list dest_ip '192.168.1.120'
	option dest_port '80'
	option target 'ACCEPT'
	option dest 'lan'
	option enabled '0'

config forwarding
	option src 'wan'
	option dest 'lan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '80'
	option dest_ip '192.168.1.120'
	option dest_port '80'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '443'
	option dest_ip '192.168.1.120'
	option dest_port '443'

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/wireless
cat /etc/config/dhcp

My understanding is that if you must use the wan port on your ap that's connected to your router, you have to set it up as a router instead of an ap to be able to connect to the internet. Pretty much have the dhcp running.

You still won't be able to connect to any devices through the wan though. It's pretty much a second network at this point. If you're trying to use the wan because you don't have enough lan ports, I believe you can just change the wan into a lan in the settings.

!! root@OpenWrt# ubus call system board; hr; cat /etc/config/wireless; hr; cat /etc/config/dhcp 
{
	"kernel": "6.6.43",
	"hostname": "OpenWrt",
	"system": "ARMv8 Processor rev 4",
	"model": "Linksys MX4300",
	"board_name": "linksys,mx4300",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "SNAPSHOT",
		"revision": "r0-2540ea6",
		"target": "qualcommax/ipq807x",
		"description": "OpenWrt SNAPSHOT r0-2540ea6"
	}
}
########################################################################################################################

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'cloud of titties α'
	option encryption 'sae-mixed'
	option key 'brianvargo'
	option ocv '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option disabled '0'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'cloud of titties α'
	option encryption 'sae-mixed'
	option key 'brianvargo'
	option ocv '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+2'
	option band '5g'
	option channel '100'
	option htmode 'HE80'
	option disabled '1'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'sae-mixed'
	option key 'brianvargo'
	option ocv '0'
	option disabled '1'

########################################################################################################################

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'
	option filter_aaaa '0'
	option filter_a '0'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ignore '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

So when I wasn't able to function effectively with the AP, server, and internet not being interoperable, the mental space I could effectively use to resolve the problem was substantially diminished.

Once again physically located next to the new AP, I've found that if I go from [ROUTER] LAN to [AP] LAN, things work, so chances are very good that this is the missing piece:

[ROUTER]:

root@OpenWrt:~# ubus call system board
{
	"kernel": "5.10.176",
	"hostname": "OpenWrt",
	"system": "MediaTek MT7621 ver:1 eco:3",
	"model": "CUDY X6",
	"board_name": "cudy,x6",
	"rootfs_type": "squashfs",
	"release": {
		"distribution": "OpenWrt",
		"version": "22.03.5",
		"revision": "r20134-5f15225c1e",
		"target": "ramips/mt7621",
		"description": "OpenWrt 22.03.5 r20134-5f15225c1e"
	}
}
root@OpenWrt:~# 
root@OpenWrt:~# ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback [redacted] brd [redacted]
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1504 qdisc fq_codel master br-lan state UP qlen 1000
    link/ether [redacted] brd [redacted]
3: lan1@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [redacted] brd [redacted]
4: lan2@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [redacted] brd [redacted]
5: lan3@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [redacted] brd [redacted]
6: lan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [redacted] brd [redacted]
7: wan@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether [redacted] brd [redacted]
10: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether [redacted] brd [redacted]
11: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [redacted] brd [redacted]
12: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP qlen 1000
    link/ether [redacted] brd [redacted]

So looking at links 3-7, it looks like I have lan1-4 and wan. There are 4 physical RJ45 ports on the router, 1-3 are labeled Ethernet, 3 is further labeled with a yellow bar over it as is the 4th port which is primarily labeled "Internet".

It seems that that port 4 is presently doing both WAN and LAN?

In Luci, go to Network -> Interfaces, delete the Wan interface. Then choose the Devices tab. Edit "br-lan", and add the "wan" device to the "bridge ports" using the drop down.

https://www.reddit.com/r/openwrt/comments/tx9nvs/comment/i3m5cud/

I deleted the wan & wan6 under Network > Interfaces.
I checked the box left of Network > Devices > [br-lan] Configure > Bridge ports [lan1] [lan2] [lan3] ▾ > :ballot_box_with_check: ethernet Ethernet Adapter: "wan"

Screenshot from 2024-08-26 14-58-36

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.