Configuration issues with openwrt device as a client

rkyrlach · July 21, 2023, 4:22pm

basic desired configuration diagram (ip addresses can change as needed)

if I log in to the AP 10.249.1.36 with my laptop wifi, I recieve the camera video stream
but if I log in to 10.249.1.32 I can no longer see the video stream
I need to make the video stream available to the Master (10.249.31.32)
the iPad is talking to the Lane (10.249.1.32) web app functioning
I can ping the lane (10.249.1.32) from the Client onion (10.249.1.36)
I can ping the car (10.249.31.33) from the Client onion (10.249.31.251)
but the car (10.249.31.33) cannot see the lane (10.249.1.32)
I don't know enough about networking to fix the configurations to allow the car and the lane to
connect to each other. Everything has to use static IP addresses
it is a private network, so I don't want to use a firewall.
I am a nube at networking and could really use some help
thanks in advance.

#-------------------------------------------------------------------------------------------------------------------
car client openwrt network file:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd89:5966:aa3e::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0i wlan0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.249.31.251'
        option netmask '255.255.255.0'
        option ip6assign '60'

#-------------------------------------------------------------------------------------------------------------------
car client openwrt wireless file

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'
        option disabled '0'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'test1'
        option encryption 'psk2'
        option key 'P4ssw0rd7'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option ssid 'ATRS-A7'
        option key 'P4ssw0rd7'
        option encryption 'psk2'
        #option network 'wlan lan'

#-------------------------------------------------------------------------------------------------------------------
lane AP openwrt network file

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd89:5966:aa3e::/48'

config interface 'wlan'
        option proto 'static'
        option ipaddr '10.249.1.35'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-wlan'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.249.1.253'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'br-wlan'
        option type 'bridge'
        list ports 'eth0'

#-------------------------------------------------------------------------------------------------------------------
lane AP openwrt wireless file

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option channel '1'
        option band '2g'
        option htmode 'HT20'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'ATRS-A7'
        option encryption 'psk2'
        option key 'P4ssw0rd7'

#-------------------------------------------------------------------------------------------------------------------

iplaywithtoys · July 21, 2023, 4:42pm

Welcome to the forum. Thank you for taking the time to explain your problem clearly, as well as providing configuration extracts and even a diagram. It's refreshing!

However, there are still some more configuration elements which would help your audience to try to help you.

You've indicated that you don't want to use a firewall, but it's always possible that the firewall might be active. Similarly, if any of your devices are using DHCP, it would be helpful to understand your DHCP configuration. I appreciate you indicated that everything has to use static addressing, but it may still be beneficial to eliminate DHCP early on.

On that note, would you also provide the contents of /etc/config/firewall and /etc/config/dhcp from both OpenWRT devices?

One glaring discrepancy which stands out immediately is the IP address of "Master" and the subnet apparently presented by "Lane". "Master" does not sit in "10.249.1.0/24" so either "Master's" IP address will have to change, or "Lane's" subnet details will have to change.

Further to the above paragraph, "Lane's" network details must be changed. You're attempting to bridge "eth0" with both "br-lan" and "br-wlan", which won't work. You've already got "ATRS-A7" joined to the "lan" network in /etc/config/wireless, which is usually sufficient to establish a wired/wireless bridge.

rkyrlach · July 21, 2023, 4:52pm

thanks for looking. I don't know what to change and I am sure it is not correct as stands. I welcome all suggestions and or changes. I have been trying to figure it out and looking at info on the net, but to no avail. I appreciate your help.

the contents of the openwrt client device dhcp file:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

the contents of the openwrt client device firewall file:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

the contents of the openwrt AP device dhcp file:


config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

the contents of the openwrt AP device firewall file:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

iplaywithtoys · July 21, 2023, 4:53pm

For the avoidance of doubt and ambiguity, is "Car" the client, and "Lane" the AP?

rkyrlach · July 21, 2023, 4:54pm

car is the client yes, and lane is the ultimate AP but really the openwrt onion device is actually the AP because the lane nor the car have built in wifi

rkyrlach · July 21, 2023, 4:57pm

the car is wired into the client openwrt device. the lane is wired in (cat5) to the openwrt AP device

iplaywithtoys · July 21, 2023, 4:57pm

Hoist by my own ambiguity pétard; my apologies.

I was referring to the devices in this diagram:

You drew the distinction between OpenWRT as a client and OpenWRT as an AP. I merely wanted to be sure which one you meant by "client" and which by "AP" so that I could make some notes and work up some suggestions for you.

iplaywithtoys · July 21, 2023, 4:58pm

Excellent. That's the clarification I was seeking. Thank you.

rkyrlach · July 21, 2023, 4:58pm

I really appreciate your time and help. thanks so much

rkyrlach · July 21, 2023, 5:04pm

I have no idea on how to get the video stream to the master computer which is wired into the lane AP with cat5. the master has no wifi

iplaywithtoys · July 21, 2023, 5:26pm

Not to worry; there'll be an answer. The answer will likely involve making some configuration changes to one or more of the devices in your diagram.

rkyrlach · July 21, 2023, 5:32pm

that sounds wonderful

iplaywithtoys · July 21, 2023, 5:33pm

I'll get to the IP addressing in a moment but, as a first step, if you're absolutely sure you don't want to use a firewall, then change every "REJECT" to "ACCEPT" and add all the interfaces to the lan zone. That'll permit intra-zone traffic to take place, and then all that needs to be sorted out is IP addressing and routing.

If you make the firewall changes on the command line, don't forget to restart the firewall service.

iplaywithtoys · July 21, 2023, 5:39pm

Give me a moment; I'm going to spin up a couple of OpenWRT routers in my lab and clone your configuration.

rkyrlach · July 21, 2023, 5:42pm

that sounds fantastic

rkyrlach · July 21, 2023, 5:47pm

your comment add all the interfaces to the "lan" zone in the firewall
is this correct?

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'wlan'
list network 'wlan0'
list network 'eth0'

iplaywithtoys · July 21, 2023, 5:50pm

While I'm tinkering with my lab, if you don't need DHCP then you can add option ignore '1' to the config dhcp 'lan' section of /etc/config/dhcp; that disables the DHCP service on that interface; you can see that directive already for the wan interface.

iplaywithtoys · July 21, 2023, 5:51pm

That is the correct syntax, but I think it should be possible to achieve your goal with fewer interfaces defined.

rkyrlach · July 21, 2023, 5:53pm

root@OpenWrt:/etc/config# /etc/init.d/firewall enable
root@OpenWrt:/etc/config# /etc/init.d/firewall status
active with no instances
root@OpenWrt:/etc/config# /etc/init.d/firewall start
The fw4 firewall appears to be already loaded.
root@OpenWrt:/etc/config# /etc/init.d/firewall restart
root@OpenWrt:/etc/config#

I don't understand the 'active with no instances' (this is the firewall in the client

iplaywithtoys · July 21, 2023, 5:58pm

Nor do I. We're in the same boat there. It might be documented somewhere; I'll look in a bit.