Network & Routing with RP4

gkeylow · December 20, 2023, 4:38am

I’ve created a router with my RP4 for learning purposes, but here is my question.

I’m running static default IP on the lan side and created a WiFi access point to bridge with the lan.

I’m using a mini Mac that is sharing WiFi via Ethernet to the raspberry pi.

It’s bridging directly to the Mac mini. DHCP on the WiFi access point is dolling out subnet 192.168.3.*. When I ssh into 192.168.3.1, it’s actually the Mac mini. Then from the Mac mini, I can ssh into 192.168.1.1

Problem being, while devices connecting to this new access point can get through to the outside world, the raspberry pi itself is just bridging without any connection to the internet, and I can’t update / install other packages.

My networking skills are lacking, which is why I’m playing around. Some help with fixing along with decent documentation would be greatly appreciate.

JB

psherman · December 20, 2023, 5:08am

Chances are that the ethernet port (eth0) is currently part of br-lan.

You need to remove it from br-lan and then create a new interface like this:

config interface 'wan'
    option device 'eth0'
    option proto 'dhcp'

If that doesn't fix the issue, let's look at your config:

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

gkeylow · December 20, 2023, 3:13pm

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.15.134",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.5",
        "board_name": "raspberrypi,4-model-b",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.0",
                "revision": "r23497-6637af95aa",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 23.05.0 r23497-6637af95aa"

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdca:15bf:fd1f::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option channel '157'
        option band '5g'
        option cell_density '0'
        option txpower '20'
        option htmode 'VHT40'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'kinkythots'
        option encryption 'psk2'
        option network 'lan'
        option key '12345678'
        option ieee80211w '1'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option synflood_protect '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config forwarding
        option src 'wan'
        option dest 'lan'

gkeylow · December 20, 2023, 3:14pm

I forgot to say this, but thank you in advance for all help and 'constructive criticism'

edit: constructive criticism in before ay possible trolls... if there are any on this forum.

psherman · December 20, 2023, 5:43pm

As expected, eth0 is currently associated with br-lan and there is no wan network interface.

First, remove eth0 from the bridge so it looks like this:

config device
        option name 'br-lan'
        option type 'bridge'

the create a new network interface for the wan:

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

I'm not sure why, but your wan firewall zone is also not quite right (you must have changed it relative to the defaults). It should normally look like this:

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'wan'
        option masq '1'
        option mtu_fix '1'

And this forwarding rule should be deleted:

Once those are done, reboot the device an your downstream wifi devices should have internet access via the Pi > Mac > main network/internet.

You're welcome.

There are some trolls, indeed. Not many, but a few for sure.

gkeylow · December 21, 2023, 7:22am

Thank you very much for your time.

Is it possible you could link me some documentation on some of this. I started learning linux based about 4 years ago after 30 years of only Windows. And I'm ashamed to say, I've neglected the network side on both sides.

Especially the firewall misconfig you mentioned. I set the input to allow thinking it would fix my problem before coming here.

I'd like to learn my way through this. Knowledge is power.

Thanks!