Forwarding wired traffic over wireless using relayd

I am trying to configure a Compex 865 (based on Qualcomm AP161) using Chaos Calmer based QSDK to use relayd to relay traffic from my laptop to and from the Internet. My desired configuration is Laptop->wired interface->Compex->Wi-Fi->Guest Access on Wi-Fi router->Internet. I know WDS is easier (almost trivial, in fact) but that doesn't work if I don't have access to the Wi-Fi router and neither does gretap.

I have looked at Configure OpenWRT for relayd using LUCI and Configure OpenWRT for relayd using command line. They both say the same thing and following the instructions of one led me to the same configuration as following the instructions in the other.

In both cases, I ended up with changes to four configuration files. Here are the germane portions of each file:

/etc/config/wireless

config wifi-device  wifi0
        option type     qcawifi
        option channel  auto
        option macaddr  xx:xx:xx:xx:xx:xx
        option hwmode   11ac
        # REMOVE THIS LINE TO ENABLE WIFI:
        option disabled 0

config wifi-iface
        option device   wifi0
        option network  wwan
        option mode     sta
        option ssid     Wingo
        option encryption psk2
        option key      "xxxxxxxxxxxxxx"

/etc/config/network

config interface 'lan'
        option ifname 'eth1 eth2'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option multicast_querier '0'
        option igmp_snooping '0'
        option gateway '10.0.0.1'
        option dns '10.0.0.1'

config interface 'wwan'
        option proto 'dhcp'
        option ifname 'ath0'

config interface relay
        option proto relay
        option ipaddr 10.0.0.43
        option network 'lan wwan'

/etc/config/dhcp

config dhcp 'lan'
        option ignore '1'

/etc/config/firewall

config zone
        option name 'lan'
        list network 'lan wwan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

IMPORTANT NOTE: I did run /etc/init.d/relayd enable && /etc/init.d/relayd start since that seems to be required on my older OpenWRT distro.

NOTE: I could not get the Wi-Fi working without adding the extra option interface ath0 line in the network file.

NOTE: This post is using a different IP address for the relay than what the Wi-Fi connection is using. Not sure if that's of interest.

Also, set up my Ubuntu laptop to alternatively login to the Compex or to the "relay" network:
relay:
ip a add 10.0.0.195/24 dev eth1
Compex:
ip a add 10.0.1.195/24 dev eth1

With these settings, from my laptop I can login to the Compex but cannot reach the router or internet.

I tried running relayd from the command line with debugging enabled. The debug didn't help me as it made me realize quickly that I don't understand what relayd is doing under the covers:

/usr/sbin/relayd -I br-lan -I ath0 -B -D -L 10.0.0.43 -d
ath0: Found ARP cache entry for host 10.0.0.40 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.40 (xx:xx:xx:xx:xx:xx)
ath0: Found ARP cache entry for host 10.0.0.194 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.194 (xx:xx:xx:xx:xx:xx)
ath0: Found ARP cache entry for host 10.0.0.170 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.170 (xx:xx:xx:xx:xx:xx)
ath0: Found ARP cache entry for host 10.0.0.206 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.206 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 10.0.1.255 (ff:ff:ff:ff:ff:ff)
br-lan: adding host 10.0.1.255 (ff:ff:ff:ff:ff:ff)
ath0: Found ARP cache entry for host 10.0.0.214 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.214 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 239.255.255.250 (xx:xx:xx:xx:xx:xx)
br-lan: adding host 239.255.255.250 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 224.0.0.22 (xx:xx:xx:xx:xx:xx)
br-lan: adding host 224.0.0.22 (xx:xx:xx:xx:xx:xx)
ath0: Found ARP cache entry for host 10.0.0.199 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.199 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 10.0.0.206 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 10.0.1.199 (xx:xx:xx:xx:xx:xx)
br-lan: adding host 10.0.1.199 (xx:xx:xx:xx:xx:xx)
ath0: Found ARP cache entry for host 10.0.0.195 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.195 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 10.0.0.199 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 224.0.0.1 (xx:xx:xx:xx:xx:xx)
br-lan: adding host 224.0.0.1 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 10.0.1.195 (xx:xx:xx:xx:xx:xx)
br-lan: adding host 10.0.1.195 (xx:xx:xx:xx:xx:xx)
br-lan: Found ARP cache entry for host 10.0.0.195 (xx:xx:xx:xx:xx:xx)
ath0: Found ARP cache entry for host 10.0.0.198 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.198 (xx:xx:xx:xx:xx:xx)
ath0: Found ARP cache entry for host 10.0.0.1 (xx:xx:xx:xx:xx:xx)
ath0: adding host 10.0.0.1 (xx:xx:xx:xx:xx:xx)
ath0: deleting host 10.0.0.199 (xx:xx:xx:xx:xx:xx)
ath0: deleting host 10.0.0.195 (xx:xx:xx:xx:xx:xx)

I switched to the lasted stable OpenWRT using instructions for flashing OpenWRT to WPQ865.

root@OpenWrt:/etc# cat os-release 
NAME="OpenWrt"
VERSION="19.07.7"
ID="openwrt"
ID_LIKE="lede openwrt"
PRETTY_NAME="OpenWrt 19.07.7"
VERSION_ID="19.07.7"
HOME_URL="https://openwrt.org/"
BUG_URL="https://bugs.openwrt.org/"
SUPPORT_URL="https://forum.openwrt.org/"
BUILD_ID="r11306-c4a6851c72"
OPENWRT_BOARD="ipq806x/generic"
OPENWRT_ARCH="arm_cortex-a15_neon-vfpv4"
OPENWRT_TAINTS=""
OPENWRT_DEVICE_MANUFACTURER="OpenWrt"
OPENWRT_DEVICE_MANUFACTURER_URL="https://openwrt.org/"
OPENWRT_DEVICE_PRODUCT="Generic"
OPENWRT_DEVICE_REVISION="v0"
OPENWRT_RELEASE="OpenWrt 19.07.7 r11306-c4a6851c72"

I got Wi-Fi working for my QCA9984 after running

opkg update
ath10k-firmware-qca9984
reboot # I'm lazy and superstitious -- cleaner just to reboot
# Modify /etc/config/wireless
wifi down
wifi up

But I'm not seeing the relayd package from opkg but I was able to download it from here and install using:
opkg install <filename>

Alas, I can still not reach the Internet from my laptop via the Compex.

COMMENTARY: Perhaps my expectations are incorrect. With relayd configured correctly and my laptop connected to the Compex via eth1, I expect to be able to get a response from either of these commands:

ping -I eth1 8.8.8.8
ping -I eth1 openwrt.org

but I'm not getting anything when I run this from the laptop. However, when I run this when logged in to the Compex (without the -I), I get responses as expected.

Installed tcpdump:

While running

ping -i eth1 8.8.8.8

on my laptop, I'm seeing on the Compex (I've edited for unique lines)

root@OpenWrt:~# tcpdump -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
23:31:51.455062 ARP, Request who-has dns.google tell 10.0.0.195, length 46
23:31:54.037269 ARP, Request who-has 10.0.0.195 (Broadcast) tell 10.0.0.195, length 28
23:31:54.037350 ARP, Reply 10.0.0.195 is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28
23:31:57.187848 ARP, Request who-has 10.0.0.210 (Broadcast) tell 10.0.0.210, length 28
23:31:57.187929 ARP, Reply 10.0.0.210 is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28
23:31:57.188508 IP 10.0.0.195.49534 > 10.0.0.210.8009: Flags [S], seq 2283318130, win 64240, options [mss 1460,sackOK,TS val 3442471548 ecr 0,nop,wscale 10], length 0
23:31:58.156825 ARP, Request who-has 10.0.0.214 tell 10.0.1.1, length 28
23:31:58.213962 IP6 xxxx::xxxx:xxxx:xxxx:xxx > ip6-allnodes: ICMP6, router advertisement, length 120
23:31:58.248366 ARP, Request who-has 10.0.0.214 (Broadcast) tell 10.0.0.214, length 28
23:31:58.248461 ARP, Reply 10.0.0.214 is-at xx:xx:xx:xx:xx:xx (oui Unknown), length 28
23:31:58.392731 IP 10.0.0.195.5353 > 224.0.0.251.5353: 0 [2a] [9q] PTR (QM)? _ipps._tcp.local. PTR (QM)? _ftp._tcp.local. PTR (QM)? _webdav._tcp.local. PTR (QM)? _webd
avs._tcp.local. PTR (QM)? _sftp-ssh._tcp.local. PTR (QM)? _smb._tcp.local. PTR (QM)? _afpovertcp._tcp.local. PTR (QM)? _nfs._tcp.local. PTR (QM)? _ipp._tcp.local. (245
)
23:31:59.129666 IP 10.0.0.210.5353 > 224.0.0.251.5353: 0*- [0q] 2/0/3 PTR 88acf8ad-b9b2-50e0-8d18-3f6ab14-0._spotify-connect._tcp.local., PTR _spotify-connect._tcp.loc
al. (239)
23:31:59.647509 ARP, Request who-has dns.google tell 10.0.0.195, length 46
23:32:00.153769 IP 10.0.0.210.5353 > 224.0.0.251.5353: 0*- [0q] 2/0/3 PTR 88acf8ad-b9b2-50e0-8d18-3f6ab14-0._spotify-connect._tcp.local., PTR _spotify-connect._tcp.loc
al. (239)
23:32:00.153970 ARP, Request who-has 10.0.0.170 tell 10.0.1.1, length 28
23:32:00.256934 ARP, Request who-has 10.0.0.170 (Broadcast) tell 10.0.0.170, length 28

Looks like I'm seeing traffic coming in from the Wi-Fi network. Also, someone seems to know 8.8.8.8 is a google address.

Very old and unsupported version.

These should not be in lan network configuration.

lan zone is missing the relay interface.

2 Likes

@trendy Thank you for your reply. Addressing each of your comments:

  • Now running OpenWRT 19.07.7
  • Removed gateway and dns from lan in /etc/config/network
  • Added relay to my firewall configuration in /etc/config/firewall:
config zone
        option name 'lan'
        list network 'lan wwan relay'
  • Rebooted
    Same result. :-/

Running tcpdump on the Compex targeting my Wi-Fi interface reports:

15:42:49.005956 ARP, Request who-has 10.0.0.195 (Broadcast) tell 10.0.0.195, len
gth 28                                                                          
15:42:49.006074 ARP, Reply 10.0.0.195 is-at yy:yy:yy:yy:yy:yy (oui Unknown), len
gth 28

where yy:yy:yy:yy:yy:yy is the MAC address of my Wi-Fi interface. Is this what should be happening?

It seems like this should be the MAC address of my laptop and relayd would keep track of IP addresses originating from the Compex Ethernet port.

From this reply in a different thread, it looks like NAT is set up in the firewall configuration but the OP in that thread is trying to do the exact opposite of what I'm doing, namely: WLAN->ETH->INTERNET (I'm trying ETH->WLAN->INTERNET). In light of this and the Wi-Fi reporting its own MAC address for my laptop leads me to believe there is more to change in my firewall configuration. But maybe looking at that post is confusing issues.

Let's have one more look. Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l  /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
2 Likes

Here's the information you requested. Thanks for the reminder to redact MACs/IPs.

{
        "kernel": "4.14.221",
        "hostname": "OpenWrt",
        "system": "ARMv7 Processor rev 0 (v7l)",
        "model": "Qualcomm IPQ8064/AP161",
        "board_name": "qcom,ipq8064-ap161",
        "release": {
                "distribution": "OpenWrt",
                "version": "19.07.7",
                "revision": "r11306-c4a6851c72",
                "target": "ipq806x/generic",
                "description": "OpenWrt 19.07.7 r11306-c4a6851c72"
        }
}
package network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1 eth2'
        option proto 'static'
        option ipaddr '10.0.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wwan'
        option proto 'dhcp'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '6 4'

config interface 'relay'
        option proto 'relay'
        option network 'lan wwan'
        option gateway '10.0.0.1'
        option dns '10.0.0.1'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option disabled '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'wwan'
        option mode 'sta'
        option ssid 'XXXXXXXXX'
        option encryption 'psk2'
        option key 'YYYYYYYYYYYYYYYYYYYYY'

package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'disabled'
        option ra 'server'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan wwan relay'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
8: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.1.1/24 brd 10.0.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    inet 10.0.0.43/24 brd 10.0.0.255 scope global wlan0
       valid_lft forever preferred_lft forever
default via 10.0.0.1 dev wlan0 table 16801 
10.0.0.1 dev wlan0 table 16801 scope link 
10.0.0.170 dev wlan0 table 16801 scope link 
10.0.0.214 dev wlan0 table 16801 scope link 
default via 10.0.0.1 dev wlan0  src 10.0.0.43 
10.0.0.0/24 dev wlan0 scope link  src 10.0.0.43 
10.0.1.0/24 dev br-lan scope link  src 10.0.1.1 
broadcast 10.0.0.0 dev wlan0 table local scope link  src 10.0.0.43 
local 10.0.0.43 dev wlan0 table local scope host  src 10.0.0.43 
broadcast 10.0.0.255 dev wlan0 table local scope link  src 10.0.0.43 
broadcast 10.0.1.0 dev br-lan table local scope link  src 10.0.1.1 
local 10.0.1.1 dev br-lan table local scope host  src 10.0.1.1 
broadcast 10.0.1.255 dev br-lan table local scope link  src 10.0.1.1 
broadcast 127.0.0.0 dev lo table local scope link  src 127.0.0.1 
local 127.0.0.0/8 dev lo table local scope host  src 127.0.0.1 
local 127.0.0.1 dev lo table local scope host  src 127.0.0.1 
broadcast 127.255.255.255 dev lo table local scope link  src 127.0.0.1 
0:      from all lookup local 
2:      from all iif lo lookup 2 
2:      from all iif wlan0 lookup 16800 
2:      from all iif br-lan lookup 16801 
32766:  from all lookup main 
32767:  from all lookup default 
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx    1 root     root            16 Feb 15 15:22 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r--    1 root     root            32 Feb 25 15:12 /tmp/resolv.conf
-rw-r--r--    1 root     root            90 Feb 25 15:15 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1

==> /tmp/resolv.conf.auto <==
# Interface wwan
nameserver aa.bb.cc.dd
nameserver ee.ff.gg.hh
search gggg.hhhh.jjjj.iii.aaaa.bbb
head: /tmp/resolv.*/*: No such file or directory

Remove these from the relay interface.

This is not correct, it should be one interface at a line, like in wan interface.

2 Likes

Yay! It's working. Thank you for your time. :slight_smile:

I had added the gateway/dns to the relay interface just fiddling around and forgot to remove it.

I had tried multiple lines for the list network elements previously but had gone to the option network style which I think allows space-delimited interface names.

1 Like

I was able to configure the old Chaos Calmer QSDK in the same manner. Thanks again!

1 Like

Keep in mind that it is vulnerable to a ton of security flaws, including WPA/WPA2 krack.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.