Hi, I followed this guide about configuring a Routed AP and separate the wireless network from LAN. The router is a Raspbery Pi 4. The LAN (lan_1) Subnet is 10.30.1.0/30 and the WLAN (wifi) is 10.30.2.0/24 with DHCP on.
Everything seems configured correctly:
/etc/config/network
config interface 'wifi'
option proto 'static'
option device 'phy0-ap0'
option ipaddr '10.30.2.1'
option netmask '255.255.255.0'
config interface 'lan_1'
option proto 'static'
option device 'eth0'
option ipaddr '10.30.1.1'
option netmask '255.255.255.252'
/etc/config/firewall
config zone
option name 'wifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wifi'
config zone
option name 'lan_1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan_1'
config forwarding
option src 'wifi'
option dest 'lan_1'
config forwarding
option src 'lan_1'
option dest 'wifi'
root@OpenWrt:~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.30.1.0 0.0.0.0 255.255.255.252 U 0 0 0 eth0
10.30.2.0 0.0.0.0 255.255.255.0 U 0 0 0 phy0-ap0
From the router, hosts of both Networks are reachable. The problem is that traffic originating from the wireless network (wifi) is not allowed to reach the LAN interface (lan_1).
Tests from a host connected to wireless network:
❯ ping 10.30.1.2
PING 10.30.1.2 (10.30.1.2): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
...
❯ traceroute 10.30.1.2
traceroute to 10.30.1.2 (10.30.1.2), 64 hops max, 40 byte packets
1 openwrt (10.30.2.1) 1.236 ms 0.423 ms 0.315 ms
2 * * *
3 * * *
4 * * *
...
I found out that the traffic forwarding works adding the setting option masq '1' to the lan_1 zone in the firewall configuration. But I can't figure out why is this required. Anyway traffic from lan_1 to wifi is still not allowed.
I can't come up with a solution. Would be grateful for any help.
I suspect that it is the masquerading (or lack thereof) on the upstream connection (unless your upstream has an appropriate static route installed).
But we really need to see the complete config.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </>
" button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
Thanks for your reply. The WAN interface is configured as dhcp client attached to isp router and with Masquerading enable.
Both lan_1 and wifi successfully reach the WAN interface.
Below is the complete config.
root@RPi-OpenWrt:~# ubus call system board
{
"kernel": "5.15.162",
"hostname": "RPi-OpenWrt.local",
"system": "ARMv8 Processor rev 3",
"model": "Raspberry Pi 4 Model B Rev 1.1",
"board_name": "raspberrypi,4-model-b",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.4",
"revision": "r24012-d8dd03c46f",
"target": "bcm27xx/bcm2711",
"description": "OpenWrt 23.05.4 r24012-d8dd03c46f"
}
}
root@RPi-OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
config device
option name 'phy0-ap0'
option ipv6 '0'
config device
option name 'eth0'
option ipv6 '0'
config device
option name 'eth1'
option ipv6 '0'
config interface 'wifi'
option proto 'static'
option device 'phy0-ap0'
option ipaddr '10.30.2.1'
option netmask '255.255.255.0'
config interface 'lan_1'
option proto 'static'
option device 'eth0'
option ipaddr '10.30.1.1'
option netmask '255.255.255.252'
config interface 'wan'
option proto 'dhcp'
option device 'eth1'
root@RPi-OpenWrt:~# cat /etc/config/wireless
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
option channel '48'
option band '5g'
option htmode 'VHT80'
option country 'IT'
option cell_density '0'
option txpower '20'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'wifi'
option mode 'ap'
option ssid 'OpenWrt-wifi'
option encryption 'psk2+ccmp'
option key '*************'
root@RPi-OpenWrt:~# cat /etc/config/dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
option ednspacket_max '1232'
option filter_aaaa '0'
option filter_a '0'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
config dhcp 'wifi'
option interface 'wifi'
option start '100'
option limit '150'
option leasetime '24h'
config dhcp 'lan_1'
option interface 'lan_1'
option ignore '1'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
root@RPi-OpenWrt:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config zone
option name 'wifi'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wifi'
config zone
option name 'lan_1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'lan_1'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option mtu_fix '1'
list network 'wan'
option masq '1'
config forwarding
option src 'lan_1'
option dest 'wifi'
config forwarding
option src 'lan_1'
option dest 'wan'
config forwarding
option src 'wifi'
option dest 'wan'
config forwarding
option src 'wifi'
option dest 'lan_1'
Thanks.
Masquerading is used to "hide" the entire downstream network behind the singular address that the router holds on the upstream network. I often point to an analogy of an office or apartment building... the postal carrier doesn't need to know the name and internal address of each person in the building, all they need to know is the street address of the building. The mailroom in the building takes care of the rest.
If the upstream router has the ability to set static routes, you can add one for the downstream networks, and in that case masquerading can be disabled. The reason is this:
- you have 2 downstream networks: 10.30.1.0/30 and 10.30.2.0/24.
- I don't know what your upstream network is, but let's just say it is 192.168.1.0/24.
- Let's assume that the upstream router is 192.168.1.1
- And let's say that your OpenWrt's 'upstream' address is 192.168.1.5.
- The upstream doesn't have any knowledge of the 10.30.1.0/30 and 10.30.2.0/24 networks.... it doesn't know where to send packets with destinations in those networks.
- When masquerading is enabled, the OpenWrt router hides those two networks behind the 192.168.1.5 address, so the upstream router only has to send packets to an address on the network is already knows, and the masquerading downstream takes care of the rest.
- If you disable masquerading, you must add static routes into the upstream router
- 10.30.2.0/24 via 192.168.1.5
- 10.30.1.0/30 via 192.168.1.5
- With these static routes, the upstream router would know that it sends traffic with destination addresses in those networks to the OpenWrt address (192.168.1.5) where it will be routed appropriately.