OpenWrt as wireless client can't access to other client on the network

chw22 · July 13, 2019, 12:16pm

Hi all.

I've followed this guide to connect a OpenWrt box as a client to a WiFi network.
This setup works fine, except that the OpenWrt box can't access one client on the network.
The network consists entirely of AVM products with their proprietary mesh implementation, which may or may not be the problem here.

I've made a diagram to illustrate the setup:

Everything is on 192.168.178.x, OpenWrt is 192.168.178.x on WAN and 192.168.1.x on LAN.

Green can access red and the OpenWrt box in blue.
The OpenWrt box and the client behind it can access green but not red.
So, running ping and netcat to red on the OpenWrt box itself is unsuccessful, even though it's just another client.
Running them to green clients works just fine.

So, it could be the proprietary mesh thing, but why would OpenWrt be the only client affected?

trendy · July 13, 2019, 12:48pm

A couple of things to check:

is there any IP conflict? Are the hosts acquiring settings from DHCP server?
does OpenWrt have a correct arp entry for the red client? Also has the red client a correct arp entry for OpenWrt?
If you capture packets on the red client (wireshark/tcpdump), do you see anything from OpenWrt?

chw22 · July 13, 2019, 1:21pm

Yes, all clients get the IPs via DHCP except blue and red which are static.
The DCHP server range is from 192.168.178.20 to 192.168.178.200.
Blue is 192.168.178.2 and red is 192.168.178.253, so there should be no conflict.

Yes, OpenWrt has the correct arp entry.
Unfortunately red is a locked down box with no way to check or capture packets.

mpa · July 13, 2019, 1:27pm

Is OpenWrt set up as wireless WAN and wired LAN (routed), or as a single interface (bridged)?

Please show us your OpenWrt configuration, especially network and wireless, perhaps also firewall.

chw22 · July 13, 2019, 1:38pm

It's wireless WAN and wired LAN.

Here are the configs.

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wwan'
	option proto 'static'
	option ipaddr '192.168.178.2'
	option netmask '255.255.225.0'
	option gateway '192.168.178.1'
	option dns '1.1.1.1 9.9.9.9'

config interface 'vpn'
	option proto 'wireguard'
	option private_key '<snip>'
	option listen_port '51820'
	list addresses '10.0.0.2/24'

config wireguard_vpn
	option public_key '<snip>'
	list allowed_ips '10.0.0.0/24'
	list allowed_ips '192.168.1.0/24'
	option route_allowed_ips '1'
	option endpoint_host '<snip>'
	option endpoint_port '51820'
	option persistent_keepalive '25'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

/etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option country 'DE'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option country 'DE'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'
	option disabled '0'
	option legacy_rates '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'wwan'
	option mode 'sta'
	option encryption 'psk2'
	option ssid 'FRITZ!Box 7490'
	option key '<snip>'

/etc/config/firewall:

config defaults
	option syn_flood	1
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT

config zone
	option name		lan
	list   network		'lan'
	option input		ACCEPT
	option output		ACCEPT
	option forward		ACCEPT

config zone
	option name		wan
	list   network		'wan'
	list   network		'wwan'
	option input		REJECT
	option output		ACCEPT
	option forward		REJECT
	option masq		1
	option mtu_fix		1

config zone
	option name		vpn
	list network		'vpn'
	option input		ACCEPT
	option output		ACCEPT
	option forward		REJECT
	option mtu_fix		1

config forwarding
	option src		lan
	option dest		wan

config forwarding
	option src		lan
	option dest		vpn

config forwarding
	option src		vpn
	option dest		lan

config rule
	option name		Allow-DHCP-Renew
	option src		wan
	option proto		udp
	option dest_port	68
	option target		ACCEPT
	option family		ipv4

config rule
	option name		Allow-Ping
	option src		wan
	option proto		icmp
	option icmp_type	echo-request
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-IGMP
	option src		wan
	option proto		igmp
	option family		ipv4
	option target		ACCEPT

config rule
	option name		Allow-DHCPv6
	option src		wan
	option proto		udp
	option src_ip		fc00::/6
	option dest_ip		fc00::/6
	option dest_port	546
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-MLD
	option src		wan
	option proto		icmp
	option src_ip		fe80::/10
	list icmp_type		'130/0'
	list icmp_type		'131/0'
	list icmp_type		'132/0'
	list icmp_type		'143/0'
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Input
	option src		wan
	option proto	icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	list icmp_type		router-solicitation
	list icmp_type		neighbour-solicitation
	list icmp_type		router-advertisement
	list icmp_type		neighbour-advertisement
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-ICMPv6-Forward
	option src		wan
	option dest		*
	option proto		icmp
	list icmp_type		echo-request
	list icmp_type		echo-reply
	list icmp_type		destination-unreachable
	list icmp_type		packet-too-big
	list icmp_type		time-exceeded
	list icmp_type		bad-header
	list icmp_type		unknown-header-type
	option limit		1000/sec
	option family		ipv6
	option target		ACCEPT

config rule
	option name		Allow-IPSec-ESP
	option src		wan
	option dest		lan
	option proto		esp
	option target		ACCEPT

config rule
	option name		Allow-ISAKMP
	option src		wan
	option dest		lan
	option dest_port	500
	option proto		udp
	option target		ACCEPT

config rule
	option name		Allow-WireGuard
	option src		wan
	option dest_port	51820
	option proto		udp
	option target		ACCEPT

config include
	option path /etc/firewall.user

Pippo · July 13, 2019, 1:38pm

Wireless guest isolation somewhere ?

chw22 · July 13, 2019, 1:45pm

Not that I'm aware.
This option is enabled:

The active wireless devices displayed below may communicate with each other

Pippo · July 13, 2019, 1:59pm

Radio0 bridged but off gives problem to Lan ?

chw22 · July 13, 2019, 2:08pm

Why would that matter?
I'm not able to to access red from WAN on 192.168.178.2.

mpa · July 13, 2019, 2:25pm

Could you attach another client there to capture packets?
This would also allow you to rule out a malfunction in the red client.

Pippo · July 13, 2019, 2:32pm

What

ip route

says on openwrtbox ?

chw22 · July 13, 2019, 3:08pm

Well, it's a WiFi client, so I can't exactly attach something the exact same way.
Just configuring something else to be 192.168.178.253 would probably not do much good.
But I can try and place another WiFi client right next to it, so the traffic would also need to traverse the mesh.

Also, if this was a malfunction of some sort I would not be able to access it from, say, the laptop, right?
It's in the same room and is also connected over WiFi directly to the router, just like the OpenWrt box.
On it though, I can access red without any problems.

Pippo · July 13, 2019, 3:08pm

Would

https://en.avm.de/service/fritzbox/fritzbox-7590/knowledge-base/publication/show/663_No-DNS-resolution-of-private-IP-addresses/

matter ?

chw22 · July 13, 2019, 3:13pm

I'm currently not on site, and won't be for a few days, so I can't provide the output right now, sorry.

I don't think so.
I'm trying to access the IP, 192.168.178.253, not a DNS entry.

Pippo · July 13, 2019, 3:53pm

Should be useful to try

tracert

too ?

trendy · July 13, 2019, 6:09pm

Since you have no access to the red, connecting some other device that you have control over might help troubleshooting. It could be a problem of the red device not allowing connection from the OpenWrt for some reason.