Dumb AP can't access another subnet on main router

Installing and Using OpenWrt
1

I have a wireguard client as an interface on my main router which runs OpenWRT. Devices over LAN or WiFi can ping the wireguard subnet (10.13.13.0/24) from their subnet (192/168.0.0/24) with no issues. I have the firewall setup to masquerade so the wireguard server knows how to route back.

Anyway, I have setup a Dumb AP and have disabled firewall, dns and dhcp. The clients that are connected to that AP cannot ping the wireguard subnet. I have tried static routing to route 10.13.13.0/24 through 192.168.0.1 (main OpenWRT router) but still nothing.

Anyone have any ideas?

2

a dumb AP should be transparent. Is the dumb AP also running OpenWrt? If so, let's see the config files.

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like
3

That's what I thought. It should just route everything through the main router which knows how to route to 10.13.13.0/24. Yes, the dumb AP is running OpenWRT. Config files below:

ubus call system board

{
        "kernel": "5.15.127",
        "hostname": "Meraki-MR18-AP",
        "system": "Qualcomm Atheros QCA9558 ver 1 rev 0",
        "model": "Meraki MR18",
        "board_name": "meraki,mr18",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0-rc3",
                "revision": "r23389-5deed175a5",
                "target": "ath79/nand",
                "description": "OpenWrt 23.05.0-rc3 r23389-5deed175a5"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:2b94:1d4f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'

config device
        option name 'eth0'
        option macaddr '00:18:0a:79:8c:2c'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

cat /etc/config/wireless (key has been removed)

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option channel 'auto'
        option band '2g'
        option htmode 'HT20'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Apple Extended - Meraki AP'
        option encryption 'psk2'
        option key ''
        option ieee80211r '1'
        option mobility_domain '3CA3'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option ieee80211k '1'
        option time_advertisement '2'
        option time_zone 'GMT0BST,M3.5.0/1,M10.5.0'
        option wnm_sleep_mode '1'
        option bss_transition '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'HT40'
        option country 'GB'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Apple Extended - Meraki AP'
        option encryption 'psk2'
        option key ''
        option ieee80211r '1'
        option mobility_domain '3CA3'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option ieee80211k '1'
        option time_advertisement '2'
        option time_zone 'GMT0BST,M3.5.0/1,M10.5.0'
        option wnm_sleep_mode '1'
        option bss_transition '1'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'pci0000:01/0000:01:00.0'
        option channel 'auto'
        option band '5g'
        option htmode 'HT40'
        option txpower '8'
        option country 'GB'
        option cell_density '0'
        option disabled '1'
        option bss_transition '1'
        option wnm_sleep_mode '1'
        option time_advertisement '2'
        option time_zone 'GMT0'
        option ieee80211k '1'
        option rrm_neighbor_report '1'
        option rrm_beacon_report '1'

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

As mentioned:

image
image1427×504 46.4 KB

4

you don't need to disable anything in the init.d (startup) processes... the only thing that is critical (and you've already done it) is that you must disable the dhcp server on lan in the config file.

Your configs here look fine... there is no reason why a wireless device here would behave any differently than other hosts on the network. Which leads me to this:

  • have you tested the ability for a wired host on this same subnet to reach your other subnet(s)?
1 Like
5

I've just used tcpdump and can see that the dumb AP is sending (in this case) ICMP requests to the 10.13.13.0 subnet but obviously my main router isn't forwarding it for some reason. See this output from my main router:

18:28:16.276431 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 94, length 64
18:28:17.276597 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 95, length 64
18:28:18.276778 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 96, length 64
18:28:19.276970 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 97, length 64
18:28:20.277133 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 98, length 64
18:28:21.277306 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 99, length 64
18:28:22.277496 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 100, length 64
18:28:23.277671 IP Meraki-MR18-AP.lan > 10.13.13.1: ICMP echo request, id 3678, seq 101, length 64
...
18:28:28.650111 IP Win11-Desktop.lan > 10.13.13.1: ICMP echo request, id 1, seq 273, length 40
18:28:28.676833 IP 10.13.13.1 > Win11-Desktop.lan: ICMP echo reply, id 1, seq 273, length 40
18:28:29.660857 IP Win11-Desktop.lan > 10.13.13.1: ICMP echo request, id 1, seq 274, length 40
18:28:29.687049 IP 10.13.13.1 > Win11-Desktop.lan: ICMP echo reply, id 1, seq 274, length 40
18:28:30.671722 IP Win11-Desktop.lan > 10.13.13.1: ICMP echo request, id 1, seq 275, length 40
18:28:30.698063 IP 10.13.13.1 > Win11-Desktop.lan: ICMP echo reply, id 1, seq 275, length 40
18:28:31.679945 IP Win11-Desktop.lan > 10.13.13.1: ICMP echo request, id 1, seq 276, length 40
18:28:31.706212 IP 10.13.13.1 > Win11-Desktop.lan: ICMP echo reply, id 1, seq 276, length 40

Meraki-MR18-AP is the dumb AP. You can see that it's trying to ping 10.13.13.1 and is not getting a reply. The second device, Win11-Desktop, is connected through LAN directly to the router and that can ping 10.13.13.1 with no issues.

6

And I can't test this from the AP as it only has a single Ethernet port. It can however ping my ISP router at 192.168.1.1.

7

A few more thoughts here...

  1. let's look at your main router's config
  2. if you're dealing with windows machines, you may need to turn off the windows firewall (by default, it blocks requests from other subnets)
  3. I don't think that the dumb AP is at all implicated here. Chances are that it is either windows related or a problem with the config of your main router.

As far as the wired connectivity... can you plug into another port on your main router or a switch? You just need to be on the same subnet as your dumb AP uses, but it is crtiical to test wired to ensure that #3 above is true. If necessary, just unplug your dumb AP for a moment and test with a computer connected there instead.

8

Wow, I'm really stupid. I forgot I had a firewall rule that only allowed certain devices through to that subnet. I'm going to go and bang my head against a wall now.

Sorry for wasting your time, but thank you so much for your help!

9

no problem. Gald you found the root cause!

1 Like
10

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.