OpenWrt device as secondary router

Hi. I'm having a hard time setting up everything as on the scheme below.

image723×976 60.9 KB

I can't figure out how to properly connect NanoPi device to the main router. I tried following the "dumb AP"(disable dhcp, etc.) route but as a result I was losing access to the device.

If I ssh into the device, I can successfully ping external websites, however, all devices that the device is connected to are acting as if there is no internet.

Network file:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3d:5366:30ea::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config device
        option name 'eth0'
        option macaddr 'ae:b5:8d:f2:2e:4e'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.99.1'
        list dns '192.168.99.1'

config device
        option name 'eth1'
        option macaddr 'ae:b5:8d:f2:2e:4d'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'
        option type 'bridge'

        config interface 'wan6'
                option device 'eth1'
                option proto 'dhcpv6'

        config interface 'docker'
                option device 'docker0'
                option proto 'none'
                option auto '0'

        config device
                option type 'bridge'
                option name 'docker0'

Firewall file:

config defaults
        option flow_offloading '1'
        option syn_flood '1'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wan6'
        list network 'lan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

        config rule
                option name 'Allow-Ping'
                option src 'wan'
                option proto 'icmp'
                option icmp_type 'echo-request'
                option family 'ipv4'
                option target 'ACCEPT'

        config rule
                option name 'Allow-IGMP'
                option src 'wan'
                option proto 'igmp'
                option family 'ipv4'
                option target 'ACCEPT'

        config rule
                option name 'Allow-DHCPv6'
                option src 'wan'
                option proto 'udp'
                option dest_port '546'
                option family 'ipv6'
                option target 'ACCEPT'

        config rule
                option name 'Allow-MLD'
                option src 'wan'
                option proto 'icmp'
                option src_ip 'fe80::/10'
                list icmp_type '130/0'
                list icmp_type '131/0'
                list icmp_type '132/0'
                list icmp_type '143/0'
                option family 'ipv6'
                option target 'ACCEPT'
                config rule
                        option name 'Allow-ICMPv6-Input'
                        option src 'wan'
                        option proto 'icmp'
                        list icmp_type 'echo-request'
                        list icmp_type 'echo-reply'
                        list icmp_type 'destination-unreachable'
                        list icmp_type 'packet-too-big'
                        list icmp_type 'time-exceeded'
                        list icmp_type 'bad-header'
                        list icmp_type 'unknown-header-type'
                        list icmp_type 'router-solicitation'
                        list icmp_type 'neighbour-solicitation'
                        list icmp_type 'router-advertisement'
                        list icmp_type 'neighbour-advertisement'
                        option limit '1000/sec'
                        option family 'ipv6'
                        option target 'ACCEPT'

                config rule
                        option name 'Allow-ICMPv6-Forward'
                        option src 'wan'
                        option dest '*'
                        option proto 'icmp'
                        list icmp_type 'echo-request'
                        list icmp_type 'echo-reply'
                        list icmp_type 'destination-unreachable'
                        list icmp_type 'packet-too-big'
                        list icmp_type 'time-exceeded'
                        list icmp_type 'bad-header'
                        list icmp_type 'unknown-header-type'
                        option limit '1000/sec'
                        option family 'ipv6'
                        option target 'ACCEPT'

                        config rule
                                option name 'Allow-IPSec-ESP'
                                option src 'wan'
                                option dest 'lan'
                                option proto 'esp'
                                option target 'ACCEPT'

                        config rule
                                option name 'Allow-ISAKMP'
                                option src 'wan'
                                option dest 'lan'
                                option dest_port '500'
                                option proto 'udp'
                                option target 'ACCEPT'

                        config include 'pbr'
                                option fw4_compatible '1'
                                option type 'script'
                                option path '/usr/share/pbr/firewall.include'

                        config zone 'docker'
                                option input 'ACCEPT'
                                option output 'ACCEPT'
                                option forward 'ACCEPT'
                                option name 'docker'
                                list network 'docker'

Can anyone advise on how to proceed? Thank you.

start by removing

Hi. Did that, but no changes after the rebooting.

does your clients know it got rebooted ?

I replugged the cables and tried manually disabling the wired connection from debian's GUI. No changes.

bridge is probaby wrong too, remove it.

or just reset, the defaults work ...

Removed as well. Rebooted, re-plugged the cable. Acts the same way unfortunately.

since you're trying to use it as an AP, I assume you haven't connected the device via the wan port ?

and if main router LAN is 192.168.99.x, your openwrt device have to be on the same subnet, not 192.168.1.x.

but then you can't do any traffic restriction, since there's no firewall.

No. Everything is clean here. RouterLan1 -> NanoPi WAN. NanoPi Lan -> Client.

Do you mean that I need to change the static IP to the same subnet with 99?

you said you wanted to use it as an AP, then you have to move the WAN port from wan firewall zone over to lan, or not use it at all.

and yes, LAN IP have to be on the subnet as main LAN, or you'll have to change your client's IP every time you try to access the Nano.

Okay, I've figured this all out, router was to blame.

I've reset the openWrt on NanoPi. Everything was working totally fine after that. I rebooted NanoPi and everything got back to the state that I described here. I've set static IP for NanoPi and it solved the issue.

Thank you frollic for helping here.

Have you watched this?

Fast roaming OpenWrt Wi-Fi Access points

OpenWRT could really use a simple persistent checkbox (just like some consumer routers) for turning the router into a dumb AP. I recall my ancient Netgear WNDR3700 v4 called it something like "Secondary Router). Currently there is way too much monkey-work to turn openwrt into a dumb AP and it is far too easy to forget a step after sysupgrading the router.

sysupgrade shouldn't break a working configs, unless it requires additional packages not bundled with the vanilla images, that's why ASU and OWUT were created.

or there's a mandatory reset during upgrade, this happens.

Nope thanks.
Sure you can write and publish a Luci addon but there are 1000 ways to setup and configure even a "basic dumb ap" I would predict that things go south quiet fast with such auto-i-want-to-be-clever-comfigure-tools.

Ps. An AP is an AP, and a router is a router... /Nitpick

The problem I tend to see is dnsmasq and odhcpd being re-enabled by sysupgrades. It tends to make a real mess of things until I remember to turn them off.

Never had this problem, I think, but I seldom upgrade my devices though, since they're APs.

You could always tell dnsmasq to ignore br-lan, then it shouldn't matter if it's running or not.

What problems do you envision with a simple dumb AP setting? I was thinking along the lines of:

disable dnsmasq
disable odhcpd
remove the wan / wan6 interface
attach the "wan" ethernet to the lan / lan6 side of things

Nothing in the setup precludes someone ignoring the automation entirely and doing by hand if they need something more complicated.

Yes, I do that. When I remember.
It's just too easy to forget a step when first setting things up.

Not every user intends to use a single local network. So the slightest change regarding the "architecture" of the network will make it hard to came up with a general solution.
The aim of OpenWrt is not to replace the unifi controller or a Fritzbox GUI. But feel free to write such UCI scripts and package them.