No ARP between WiFi and LAN?

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi All,

In the house I have 3 x Xiaomi 4/4A routers running OpenWrt 21.02.1.

The connections are like:

Untitled 1
Untitled 1807×1045 21.2 KB

The 5-4-3 ethernet rule has been observed.

The Xiaomi AP0 has replaced a Mikrotik used in that same environment for the same GW purpose.

All the rest of the devices pre-existed.

The configuration of that gateway is as follows:

root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd21:bc04:fcc0::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'wan'
	option stp '1'

config interface 'lan'
	option proto 'static'
	option ip6assign '60'
	option device 'br-lan'
	option stp '1'
	list dns_search 'example.net'
	list dns '10.46.236.1'
	list dns '8.8.4.4'
	list dns '8.8.8.8'
	list ipaddr '10.46.236.1/26'

config device
	option name 'lan1'
	option mtu '1500'

config interface 'n50'
	option proto 'pppoe'
	option username 'SomeUSER'
	option password 'SomePASS'
	option ipv6 'auto'
	option device 'lan1'

and

root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option cell_density '0'
	option channel 'auto'
	option country 'GR'
	option htmode 'HT40'
	option txpower '15'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option encryption 'none'
	option ssid 'tweety-net'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option cell_density '0'
	option htmode 'VHT40'
	option channel 'auto'
	option txpower '15'
	option country 'GR'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option encryption 'none'
	option ssid 'tweety-net'


root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config include
	option path '/etc/firewall.user'

config zone
	option name 'wan'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option input 'REJECT'
	list network 'n50'

config forward
	option src 'lan'
	option dest 'wan'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list device 'br-lan'
	list network 'lan'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config redirect
	option target 'DNAT'
	option name 'tweety-https'
	list proto 'tcp'
	option src 'wan'
	option src_dport '443'
	option dest 'lan'
	option dest_ip '10.46.236.30'
	option dest_port '443'

Connecting to the WiFi of any of the side APs (AP1/AP2), I can connect to any WiFi or Cable connected device anywhere in the network.

Connecting to the Gateway AP0 via WiFi I can only connect to WiFi or Cable devices, connected to that gateway itself but can not connect to any other device connected to the rest of the network.

tcpdump showed that in this case, there are ARP requests going out (who has this IP? tell that IP), but nothing returns.

If I connect to the AP0 via ssh over WiFi, then I can connect to any other device in the network.

The obvious difference is that AP1/AP2 are in AP bridged mode and there is no firewall (all interfaces are connected to the same bridge).

Any ideas?

Best regards,
Theo

2

AP1 & 2 aren't running as true dumb APs - https://openwrt.org/docs/guide-user/network/wifi/dumbap ?

3

Hi
Thank you for your feedback.

It is not the case.

Both AP1 and AP2 are in full bridge mode.

From AP0 I can not get an ARP reply for any machine connected via cable to any SWITCH.

At the same time I can get an ARP reply when connected via ssh to AP0 itself.

From AP1 or AP2 I can get an ARP reply for any machine connected via cable to any SWITCH.

So from AP0, ARP replies are flowing from the LAN to the AP0 itself.

ARP replies do not flow from WiFi to LAN or from LAN to WiFi in AP0.

BR
Theo

4

Looking the arp tables, I read something strange.

All the IP addresses I can not ping from AP0's wifi, are repoted by AP0 to be discovered via interface lan1 and not via interface br-lan.

This is very strange.

lan1 is the PPPoE interface and is back to back connected with the VDSL modem.

All 10.46.236.0/26 IP addresses should ARP broadcast only on br-lan.

BR
Theo