Dumb AP not dumb enough

Newbie here...

I set out to figure out what all the wi-fi traffic was on my cell phone. It seems constant. Planned to use Wireshark on a desktop PC.

I loaded the latest OpenWrt squashfs image into a WNDR3700v1. That worked fine. Setting it up as a dumb AP took quite a while as the GUI instructions are well out of date. Had to recover several times since default IP is and I wanted Finally got there.
(Wasn't helped by the fact I constantly scramble up 192.168 and 198.162. Have done it for years. No clue why.)

All was working OK. Cellphone connected to 3700 radio and accessed the world through via main router and cable modem.

Installed "opkg install iptables-mod-tee" without issue.

Got to the point where I needed to do "iptables -A PREROUTING -t mangle -i br-lan ! -d <TEST_DEVICE_IP_ADDRESS> -j TEE --gateway <MONITORING_WORKSTATION_IP_ADDRESS>"

About half of the stuff on my network gets assigned fixed IPs based on MAC address. "<MONITORING_WORKSTATION_IP_ADDRESS>" is always


I can find "<TEST_DEVICE_IP_ADDRESS>" on the OpenWrt GUI and on the phone but it bears no resemblance to anything on the main router's DHCP assigned addresses table. Same with the MAC address. Ping on the PC finds the phone.

How do I make the OpenWrt dumb AP really dumb? All I need is a pipe between the radio and the main router that will allow the execution of the iptables-mod-tee package. Having the wired ports on the AP work in a similar manner would be nice but is not required.


@MickeyLane, welcome to the community!

From your description, you're getting IPs from the AP; and not your main router, correct?

Did you disable DHCP on the OpenWrt interface in question?

Tell dnsmasq to ignore all interfaces. Bridge wifi and wired.

That's it.

1 Like

A dumb AP bridges user traffic at layer 2, I don't think that can trigger anything in iptables. Indeed the dumb AP is unaware of the phone's IP address since that was assigned by the main router not the AP.

You probably want to NAT the phone through OpenWrt so it is seeing layer 3.

On some hardware, the Ethernet switch offers hardware "mirroring" at layer 1.

1 Like

But everything just passes-through from the main router to the phone at level 2.

The OP wants to monitor the traffic on the main router, so that should be fine, no?

As mk24 mentioned, the iptables rule won't be triggered by Layer 2 traffic, because the ethernet frame is not directed toward the MAC of the dumb AP. The Layer 3 header would only be processed by netfilter if the destination MAC address is of the interface facing that L2 segment.

@MickeyLane: Another option is to do a remote packet capture and pipe it to wireshark:

wireshark -k -i <(ssh root@<dumb_openwrt> "tcpdump -s 0 -i <wireless> -w -")

It works best if you're using public keys so that you're not prompted for a password while wireshark is starting. This assumes you're capturing from the wired side. If you want to capture from another wireless client you'll need to add a filter to exclude ssh traffic from capture, otherwise it will cause a feedback loop.


OT but there are other options for packet capture. For example, using a named pipe and filtering on mac (i believe this gets both ipv6 and ipv4):

mkfifo client.dump
tail -f -c +0 client.dump > client-`date +"%Y%m%d-%H%M%S"`.tcpdump&
ssh -i ~/.ssh/dumbAP_rsa root@dumbAP 'tcpdump -i <if> ether host <XX:XX:XX:XX:XX:XX> -w -'> client.dump

where XX:XX:XX:XX:XX:XX is the client mac address.

This worked for me from a wired client (ubuntu) to log a wireless client of a dumb AP, but perhaps would avoid the feed back loop if using the same wireless interface.

+1 for using public ssh keys...

1 Like