OpenWrt 23: Route WiFi to LAN

Hello all,

I have installed the stable version of OpenWrt 23.05 on the GL-XE300 Puli router. Router is connected to the main WiFi network and configured as a station. LAN cable from the router is connected to my PC. I am able to get the network for the router from the main WiFi network, but I am not able to get the internet connectivity to the PC connected with the LAN of the router.

I want to route the network from WiFi to LAN.

Ideally, the device connected to the router via LAN should get the IP and network connectivity from the network to which the router is connected (WiFi in this case).

Can someone help me to resolve this issue?

Network configuration for the LAN is as attached:

image

image

Are there any firewall changes to be done?

Regards,
Bobby

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

Firewall handles br-lan
You just need to add "lan" network to wifi access point the way it is done in OpenWRT example accesspoint configuration.

No. The firewall handles the network lan, not the bridge.

@psherman, below are the outputs:

root@XYZ:/# ubus call system board
{
        "kernel": "5.15.150",
        "hostname": "iobot-50EE",
        "system": "Qualcomm Atheros QCA9533 ver 2 rev 0",
        "model": "GL.iNet GL-XE300",
        "board_name": "glinet,gl-xe300",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "MiniBox-V3.0",
                "version": "23.05.3",
                "revision": "r23809-234f1a2efa",
                "target": "ath79/nand",
                "description": "MiniBox-V3.0 23.05.3 r23809-234f1a2efa"
        }
}

cat /etc/config/network
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
 
config globals 'globals'
        option ula_prefix 'fdcc:6470:e6c9::/48'
 
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
 
config interface 'apspt'
        option type 'bridge'
        option dns '8.8.8.8'
        option proto 'static'
        option ipaddr '10.130.0.1'
        option netmask '255.255.255.0'
        option gateway '255.255.255.255'
 
config interface 'apspt2'
        option type 'bridge'
        option dns '8.8.8.8'
        option proto 'static'
        option ipaddr '10.130.5.1'
        option netmask '255.255.255.0'
        option gateway '255.255.255.255'
 
config interface 'apspt3'
        option type 'bridge'
        option dns '8.8.8.8'
        option proto 'static'
        option ipaddr '10.130.6.1'
        option netmask '255.255.255.0'
        option gateway '255.255.255.255'
 
config interface 'apspt4'
        option type 'bridge'
        option dns '8.8.8.8'
        option proto 'static'
        option ipaddr '10.130.7.1'
        option netmask '255.255.255.0'
        option gateway '255.255.255.255'
 
config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.8.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
 
config interface 'wan'
        option ifname 'eth1'
        option metric '1'
        option proto 'dhcp'
        option hostname 'iobot-50EE'
 
config interface 'wan6'
        option device 'eth1'
        option proto 'dhcpv6'
 
config interface 'wwan'
        option proto 'dhcp'
        option metric '2'
 
config interface 'cell'
        option ifname '3g-modem'
        option service 'umts'
        option apn 'J108.com.attz'
        option proto '3g'
        option device '/dev/ttyUSB4'
        option node '1-1.2:1.3'
        option auth 'NONE'
        option metric '3'
        option disabled '0'

cat /etc/config/firewall

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             apspt
        list   network          'apspt'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             apspt2
        list   network          'apspt2'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             apspt3
        list   network          'apspt3'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             apspt4
        list   network          'apspt4'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        list   network          'wwan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

config forwarding
        option src              apspt
        option dest             wan

config forwarding
        option src              apspt2
        option dest             wan

config forwarding
        option src              apspt3
        option dest             wan

config forwarding
        option src              apspt4
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

config rule
        option name             Allow-IGMP
        option src              wan
        option proto            igmp
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://github.com/openwrt/openwrt/issues/5066
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-MLD
        option src              wan
        option proto            icmp
        option src_ip           fe80::/10
        list icmp_type          '130/0'
        list icmp_type          '131/0'
        list icmp_type          '132/0'
        list icmp_type          '143/0'
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

config rule
        option name             Allow-IPSec-ESP
        option src              wan
        option dest             lan
        option proto            esp
        option target           ACCEPT

config rule
        option name             Allow-ISAKMP
        option src              wan
        option dest             lan
        option dest_port        500
        option proto            udp
        option target           ACCEPT

# allow interoperability with traceroute classic
# note that traceroute uses a fixed port range, and depends on getting
# back ICMP Unreachables.  if we're operating in DROP mode, it won't
# work so we explicitly REJECT packets on these ports.
config rule
        option name             Support-UDP-Traceroute
        option src              wan
        option dest_port        33434:33689
        option proto            udp
        option family           ipv4
        option target           REJECT
        option enabled          false

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user

### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
root@xyz:/# cat /etc/config/wireless
config wifi-device 'radio0'
  option type 'mac80211'
  option phy 'phy0'
  option htmode 'HT40'
  list ht_capab 'SHORT-GI-40'
  list ht_capab 'DSSS_CCK-40'
  option hwmode '11ng'
  option disabled '0'
  option noscan 1
  option channel '3'

config wifi-iface 'sta_0'
  option device 'radio0'
  option ifname 'wlan0'
  option mode 'sta'
  option network 'wwan'
  option disabled '0'
  option ssid 'test'
  option encryption 'psk2'
  option key 'test@123'

config wifi-iface 'ah_0'
  option device 'radio0'
  option ifname 'wlan0-1'
  option network 'mesh_0'
  option bssid 'AA:BB:CC:DD:EE:FF'
  option ssid 'ssid'
  option encryption 'none'
  option key ''
  option mode 'adhoc'
  option hidden '1'
  option disabled '1'

config wifi-iface 'ap_0'
  option device 'radio0'
  option ifname 'wlan0-2'
  option network 'apspt'
  option mode 'ap'
  option maxassoc '30'
  option disabled '0'
  option hidden '1'
  option ssid 'test-wifi'
  option encryption 'psk2'
  option key 'password'

config wifi-iface 'ap_2'
  option device 'radio0'
  option ifname 'wlan0-3'
  option network 'apspt2'
  option mode 'ap'
  option maxassoc '30'
  option disabled '0'
  option hidden '0'
  option ssid 'test-iot'
  option encryption 'psk2'
  option key 'goodlife'

config wifi-iface 'ap_3'
  option device 'radio0'
  option ifname 'wlan0-4'
  option network 'apspt3'
  option mode 'ap'
  option maxassoc '30'
  option disabled '1'

config wifi-iface 'ap_4'
  option device 'radio0'
  option ifname 'wlan0-5'
  option network 'apspt4'
  option mode 'ap'
  option maxassoc '30'
  option disabled '1'

config odhcpd 'odhcpd'
  option maindhcp '0'
  option leasefile '/tmp/hosts/odhcpd'
  option leasetrigger '/usr/sbin/odhcpd-update'
  option readethers '1'

# generated 2024-05-08 22:43:04 -0700
# end file

root@xyz:/# cat /etc/config/dhcp
config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'disabled'
        option ra 'disabled'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'apspt'
        option interface 'apspt'
        option leasetime '120m'
        option start '10'
        option limit '30'
        option dynamicdhcp '1'

config dhcp 'apspt2'
        option interface 'apspt2'
        option leasetime '120m'
        option start '10'
        option limit '100'
        option dynamicdhcp '1'

config dhcp 'apspt3'
        option interface 'apspt3'
        option leasetime '120m'
        option start '10'
        option limit '100'
        option dynamicdhcp '1'

config dhcp 'apspt4'
        option interface 'apspt4'
        option leasetime '120m'
        option start '10'
        option limit '30'
        option dynamicdhcp '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config dhcp 'wwan'
        option interface 'wwan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'


This config has many major issues. It also is not running firmware for the official project. It is running the heavily modified gl-inet fork.

You will likely be best served by completely resetting the device to defaults, but you should also consider installing official openwrt.

It appears you are using firmware that is not from the official OpenWrt project.

When using forks/offshoots/vendor-specific builds that are "based on OpenWrt", there may be many differences compared to the official versions (hosted by OpenWrt.org). Some of these customizations may fundamentally change the way that OpenWrt works. You might need help from people with specific/specialized knowledge about the firmware you are using, so it is possible that advice you get here may not be useful.

You may find that the best options are:

  1. Install an official version of OpenWrt, if your device is supported (see https://firmware-selector.openwrt.org).
  2. Ask for help from the maintainer(s) or user community of the specific firmware that you are using.
  3. Provide the source code for the firmware so that users on this forum can understand how your firmware works (OpenWrt forum users are volunteers, so somebody might look at the code if they have time and are interested in your issue).

If you believe that this specific issue is common to generic/official OpenWrt and/or the maintainers of your build have indicated as such, please feel free to clarify.

Actually, I’m not positive that this is from gl-inet. But it certainly isn’t from here.

@psherman, I've updated the config files. Can you check the above files again?

I've mistakenly copied the data from another device in which old version of OpenWrt was installed.

This is not openwrt. You need to ask the people who provided this firmware, or install official openwrt.

And the major problems still exist, fwiw.

@psherman, the source code is downloaded from the official OpenWrt GitHub page.

It clearly isn't, and as mentioned, we don't know anything about the changes that went into it - at least your initial configuration suggest a lot. Please talk to those who provided you with the firmware, it's their responsibility, not OpenWrt's.

Your device is supported by the official openwrt firmware. You can download and install it from this link:

https://firmware-selector.openwrt.org/?version=23.05.3&target=ath79%2Fnand&id=glinet_gl-xe300

Use the sysupgrade file, and do not keep settings - there is a checkbox which should be unchecked when you upgrade (you need to make sure that device will reset to defaults because the current config will not work with official openwrt)