Mouting AP with 2 openwrt routers bridged (DumbAP)

Hello,

I’m going crazy with my 2 routers openwrt.

Because I need an Access point for my wifi printer, I’ve decided to setup my second openwrt router as wifi access point.

I made the following:

• First router (main) :

• LAN interface on 192.168.1.1

• DHCP Activated, range 192.168.1.100 to 192.168.1.150

• WIFI activated (SSID: WIFI_1)

• Second router (wifi access point):

• LAN interface on 192.168.1.2, gateway & DNS defined on 192.168.1.1

• DHCP Disactivated, DNS Disactivated, Firewall Disactivated

• WIFI activated (SSID: WIFI_2)

• Cable connected from LAN port of the main router to LAN port of the second router

When I connect as client on WIFI_1, I can ping and see the client on all LAN range (for instance, I can login on 192.168.1.2, and the Wifi Printer connected on WIFI_2 is visible and usable)

When I connect as client on WIFI_2, I can ping and see the client on all LAN range (for instance, I can login on 192.168.1.2 either 192.168.1.1, and the Wifi Printer connected on WIFI_2 is visible and usable)

Conclusion, using any of Wifi gives me the correct behaviour

Now, when I connect as client on LAN of the first (main) router, I CAN’T ping and see the clients which are connected on the second router (for instance, I can login on 192.168.1.1 but NOT possible on 192.168.1.2, and the Wifi Printer connected on WIFI_2 is NOT visible – no ping response - and NOT usable)

I’m really lost & stuck on this issue. Routers are ZBT-WE3526 (OpenWrt 19.07.2) and NETGEAR WNR2000 V4 (OpenWrt 17.01.7)

Thank you for your suggestions

notworking1808×830 97.3 KB

working1808×830 90.2 KB

It sounds like maybe one of these devices can’t handle more than one MAC address on each port (Ie wasn’t designed to handle that), or some other reason that’s affecting arp. I have exactly the same setup with 2 dumb ap devices and they work fine.

Wait and see if anyone else replies with other ideas. If no one does , one option you could do is change the IP on the router that’s hosting the printer to another range, eg 192.168.2.1/255.255.255.0 , and turn dhcp back on . You would then connect a lan port on main router to the wan port on the not-so-dumb ap router. And finally you’ll then need to a add static route on your main router for the range 192.168.2.0, mask 255.255.255.0 that points to the ip of your ap device.

See this page. https://openwrt.org/docs/guide-user/network/routedclient It’s very similar to what you have, except you have joined the two routers with an Ethernet cable instead of wifi (which is much better)

Could you post the following from the main router:
uci export network; uci export dhcp; uci export firewall; uci export wireless

-------------------- NETWORK file ----------------

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdae:7803:fff2::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option dns '1.1.1.1 208.67.222.222 8.8.8.8'
	option igmp_snooping '1'

config device 'lan_dev'
	option name 'eth0.1'
	option macaddr '78:a3:51:3a:b6:2a'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config device 'wan_dev'
	option name 'eth0.2'
	option macaddr '78:a3:51:3a:b6:2b'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 6t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6t'

Please edit the post above and use preformatted text (the </> button) for the output from SSH.
@ZBastien it is still not correct. There is no indentation and it is hard to read. Edit the previous post, delete all the contents, produce the output one more time, copy it, then press the preformatted text button and immediately paste and save.

-------------------- DHCP file --------------------

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'

config dhcp 'lan'
	option interface 'lan'
	option leasetime '12h'
	option start '100'
	option limit '50'
	option force '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

-------------------- FIREWALL file --------------------

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option masq '1'
	option mtu_fix '1'
	option input 'ACCEPT'
	option network 'wan wan6'
	option forward 'REJECT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config forwarding
	option dest 'wan'
	option src 'lan'

config forwarding
	option dest 'lan'
	option src 'wan'

-------------------- WIRELESS file --------------------

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
	option htmode 'HT20'
	option legacy_rates '1'
	option country 'FR'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'WIFI_1'
	option encryption 'psk-mixed'
	option key 'XXXXXXXX'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

Nope, you want something like this:

config dhcp 'test'
	option interface 'test'
	option ignore '1'

I tried this approach but I have the same behaviour

On the main router I defined:

• a static lease for the second router (192.168.1.108)
• a static route
  
  

  static route main967×217 14.3 KB
  
  PS/ Setting or not the gateway does not change anything

On the second router I defined:

• WAN on 192.168.1.108 (according to static ip defined on main router)
  

• LAN on 192.168.2.1
  

I'm going to guess that you're seeing some weird switch / network broadcast bug. You should be able to run 19.X on your WNR2000 however without the WebUI which probably will solve a lot of your weird issues. As far as I can tell your setup should work at least if you connect using IP.

Except for a few mistakes, like the dns in lan interface (move them to wan interface instead),
the ACCEPT policy in wan input (make it REJECT), the wan->lan forwarding (you don't need that), and the legacy rates in wireless config (use them only if you have some old 11b/g device) I don't see anything wrong here.
Do the following:

swconfig list
Found: switch0 - ag71xx-mdio.0
swconfig dev switch0 show

If it tells you that it found something else than switch0, use that one.

Thank you. I'm not sure to understand the change you'd like to see I'm doing on firewall rules.
For the query:
swconfig list
Found: switch0 - mt7530

For this query

swconfig dev switch0 show

Global attributes:
	enable_vlan: 1
	mib: Switch MIB counters
PPE_AC_BCNT0: 0
PPE_AC_PCNT0: 0
PPE_AC_BCNT63: 0
PPE_AC_PCNT63: 0
PPE_MTR_CNT0: 0
PPE_MTR_CNT63: 0
GDM1_TX_GBCNT: 0
GDM1_TX_GPCNT: 0
GDM1_TX_SKIPCNT: 0
GDM1_TX_COLCNT: 0
GDM1_RX_GBCNT1: 0
GDM1_RX_GPCNT1: 0
GDM1_RX_OERCNT: 0
GDM1_RX_FERCNT: 0
GDM1_RX_SERCNT: 0
GDM1_RX_LERCNT: 0
GDM1_RX_CERCNT: 0
GDM1_RX_FCCNT: 0
GDM2_TX_GBCNT: 0
GDM2_TX_GPCNT: 0
GDM2_TX_SKIPCNT: 0
GDM2_TX_COLCNT: 0
GDM2_RX_GBCNT: 0
GDM2_RX_GPCNT: 0
GDM2_RX_OERCNT: 0
GDM2_RX_FERCNT: 0
GDM2_RX_SERCNT: 0
GDM2_RX_LERCNT: 0
GDM2_RX_CERCNT: 0
GDM2_RX_FCCNT: 0

Port 0:
	mib: Port 0 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 152358
TxMulti    : 11864
TxBroad    : 3420
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 15516
Tx65Byte   : 34363
Tx128Byte  : 9571
Tx256Byte  : 7567
Tx512Byte  : 4461
Tx1024Byte : 96164
TxByte     : 156510641
RxDrop     : 0
RxFiltered : 11
RxUni      : 89115
RxMulti    : 531
RxBroad    : 76
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 186
Rx64Byte   : 27921
Rx65Byte   : 45835
Rx128Byte  : 4409
Rx256Byte  : 5848
Rx512Byte  : 4053
Rx1024Byte : 1842
RxByte     : 13257583
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 1
	link: port:0 link:up speed:1000baseT full-duplex 
Port 1:
	mib: Port 1 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 3662
TxMulti    : 10046
TxBroad    : 3414
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 2
Tx64Byte   : 11611
Tx65Byte   : 1381
Tx128Byte  : 2914
Tx256Byte  : 1067
Tx512Byte  : 59
Tx1024Byte : 92
TxByte     : 2009602
RxDrop     : 0
RxFiltered : 7
RxUni      : 4821
RxMulti    : 2353
RxBroad    : 83
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 2071
Rx65Byte   : 1245
Rx128Byte  : 3037
Rx256Byte  : 900
Rx512Byte  : 2
Rx1024Byte : 2
RxByte     : 1117484
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 1
	link: port:1 link:up speed:100baseT full-duplex 
Port 2:
	mib: Port 2 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 4650
TxMulti    : 12318
TxBroad    : 3495
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 10274
Tx65Byte   : 4704
Tx128Byte  : 4053
Tx256Byte  : 1281
Tx512Byte  : 59
Tx1024Byte : 92
TxByte     : 2432606
RxDrop     : 0
RxFiltered : 2
RxUni      : 9969
RxMulti    : 75
RxBroad    : 1
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 2377
Rx65Byte   : 291
Rx128Byte  : 42
Rx256Byte  : 29
Rx512Byte  : 64
Rx1024Byte : 7242
RxByte     : 11224075
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 1
	link: port:2 link:up speed:1000baseT full-duplex 
Port 3:
	mib: Port 3 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 79856
TxMulti    : 2964
TxBroad    : 1737
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 5500
Tx65Byte   : 22297
Tx128Byte  : 4442
Tx256Byte  : 2103
Tx512Byte  : 1885
Tx1024Byte : 48330
TxByte     : 77032986
RxDrop     : 0
RxFiltered : 10
RxUni      : 63603
RxMulti    : 9442
RxBroad    : 1769
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 10680
Rx65Byte   : 31692
Rx128Byte  : 3504
Rx256Byte  : 2501
Rx512Byte  : 1961
Rx1024Byte : 24476
RxByte     : 41181751
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 1
	link: port:3 link:up speed:100baseT full-duplex 
Port 4:
	mib: Port 4 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 181217
TxMulti    : 24
TxBroad    : 4
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 55777
Tx65Byte   : 69872
Tx128Byte  : 9265
Tx256Byte  : 8150
Tx512Byte  : 5522
Tx1024Byte : 32659
TxByte     : 64441720
RxDrop     : 0
RxFiltered : 39
RxUni      : 234541
RxMulti    : 7425
RxBroad    : 600
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 21727
Rx65Byte   : 53668
Rx128Byte  : 11175
Rx256Byte  : 8247
Rx512Byte  : 6816
Rx1024Byte : 140933
RxByte     : 227590131
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 2
	link: port:4 link:up speed:1000baseT full-duplex 
Port 5:
	mib: Port 5 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 0
TxMulti    : 0
TxBroad    : 0
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 0
Tx65Byte   : 0
Tx128Byte  : 0
Tx256Byte  : 0
Tx512Byte  : 0
Tx1024Byte : 0
TxByte     : 0
RxDrop     : 0
RxFiltered : 0
RxUni      : 0
RxMulti    : 0
RxBroad    : 0
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 0
Rx65Byte   : 0
Rx128Byte  : 0
Rx256Byte  : 0
Rx512Byte  : 0
Rx1024Byte : 0
RxByte     : 0
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 0
	link: port:5 link:down
Port 6:
	mib: Port 6 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 396535
TxMulti    : 19803
TxBroad    : 2526
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 978
Tx64Byte   : 1002
Tx65Byte   : 189565
Tx128Byte  : 24942
Tx256Byte  : 17454
Tx512Byte  : 12885
Tx1024Byte : 173994
TxByte     : 294866188
RxDrop     : 0
RxFiltered : 18
RxUni      : 416262
RxMulti    : 38
RxBroad    : 1581
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 172
Rx64Byte   : 44876
Rx65Byte   : 148186
Rx128Byte  : 19868
Rx256Byte  : 16758
Rx512Byte  : 11785
Rx1024Byte : 176580
RxByte     : 296518464
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 0
	link: port:6 link:up speed:1000baseT full-duplex 
Port 7:
	mib: Port 7 MIB counters
TxDrop     : 0
TxCRC      : 0
TxUni      : 0
TxMulti    : 0
TxBroad    : 0
TxCollision: 0
TxSingleCol: 0
TxMultiCol : 0
TxDefer    : 0
TxLateCol  : 0
TxExcCol   : 0
TxPause    : 0
Tx64Byte   : 0
Tx65Byte   : 0
Tx128Byte  : 0
Tx256Byte  : 0
Tx512Byte  : 0
Tx1024Byte : 0
TxByte     : 0
RxDrop     : 0
RxFiltered : 0
RxUni      : 0
RxMulti    : 0
RxBroad    : 0
RxAlignErr : 0
RxCRC      : 0
RxUnderSize: 0
RxFragment : 0
RxOverSize : 0
RxJabber   : 0
RxPause    : 0
Rx64Byte   : 0
Rx65Byte   : 0
Rx128Byte  : 0
Rx256Byte  : 0
Rx512Byte  : 0
Rx1024Byte : 0
RxByte     : 0
RxCtrlDrop : 0
RxIngDrop  : 0
RxARLDrop  : 0

	pvid: 0
	link: port:7 link:down
VLAN 1:
	vid: 1
	ports: 0 1 2 3 6t 
VLAN 2:
	vid: 2
	ports: 4 6t 

When you really do have everything bridged into the LAN it should just work. The firewall has no effect on that sort of network since the bridging is at layer 2 and the firewall operates on layer 3.

The switch show shows there are more ports up (cables plugged in) than the diagram in the first post shows. Make sure you understand the logical switch port vs. physical numbers on the Ethernet ports. The two lan side cables must be plugged into ports that are in the same VLAN, the one that also has the LAN attached to the CPU port.

On the second router you can go with a default configuration, turn off the DHCP server, set a static IP on the LAN (to 192.168.1.2), and enable wifi. Again make sure the cable is plugged into the LAN VLAN. The WNR2000 has a separate CPU port for the WAN connection on the back, which you aren't using.

Actually the first router should also be running very close to a default configuration, as it is operating as a conventional home router. Start with default configuration, set up a WiFi AP, don't change anything else.

A main router with a wired connection to a dumb AP is about the second-simplest network that can be deployed, again I emphasize do not stray far from default configuration as you don't need to.

The switch of the main router doesn't support igmp snooping.
Remove it from the lan interface configuration. That should fix your problem.

Thank you. Unfortunately it does not fix the trouble.
I saw on my switches (hub ppoe) I have a button for VLAN and Default. I was on VLAN, so I changed for Standard. Then check the network file on each router to remove the "option igmp_snooping '1'". Without success.
Now I'm cascading my routers LAN -> WAN (with a static route).
Tonight I will reinstall the second router and link them as LAN->LAN. Additionally I will remove the switches to see they are involve in this problem.

Keep you in touch.

Another point: the option dns '1.1.1.1 208.67.222.222 8.8.8.8' on LAN is installed like that in the version 19.04 and not on WAN (I've used the GUI)

On the technical specifications of the hub (Tenda TEG1105P-4-63W):
Standard: the switch functions as a common unmanaged switch and all the ports of the switch can communicate with each other.
VLAN: In this mode,1-4 ports of the switch cannot communicate with each other, but can communicate with the 5 port .Solid DIP switch to isolate ports to prevent broadcast storm and defend DHCP spoofing

Where is this hub on the diagram of the first post?

Like that

Capture980×405 32.5 KB

Try#1, is a LAN 2 LAN configuration (extend of IP range manager by the main router)
Try#2, is as LAN 2 WAN configuration (2 subnets seen by a static route)

It was a rhetorical question, because it wasn't on the diagram of the first post.
The switch on the back of the Tenda should be on Standard, otherwise ports 1-4 will not communicate with each other. In any case it is better to test without it, as god knows what other limitation it might have.

I think the Hub was the good investigation.

I changed the lan cable from UPLINK port of the HUB to another one (which is not uplink and now because all ports can discuss together) and now it seems to work (for solution try#2). My Laptop can see everything on the network (1.x or 2.x)

Tonight I'll check for the try#1. And if it's ok, I add "solved"

Thanks for all at everyone and specially @trendy

NB/ I usually use the uplink port on switch to connect to router... that's the fault