Port forward problem with relayd

Hi,

I have set up an OpenWrt repeater using the following user guide: https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

Hereafter is a diagram of my specific network configuration:
relayd_port_fwrd

First of all, everything is working perfectly on the 192.168.1.0/24 subnet: anyone can ping or open a connection to anyone whether they are connected to the AP or to the repeater, through WiFi (dotted lines) or through Ethernet (solid lines).

My problem is that I need to connect to a Web server hosted by 192.168.1.21 from the AP's WAN interface. So, on the AP, I have added a port-forwarding rule on port 443 to 192.168.1.21:443. It does not work.

However, if I do the same things for any other host (192.168.1.11, 192.168.1.12 or 192.168.1.22), it works. So, it seems the problem only occurs for hosts connected to the repeater through Ethernet.

Any idea how to solve that issue ?

I guess it has something to do with the fact that the repeater's LAN interface is not on the same subnet but according to the Openwrt user guide this is mandatory. Moreover, any host connected to the repeater's LAN interface can access the 192.168.1.0/24 subnet, it can even issues DHCP requests...

I thought of using 2 port-forwarding rules:

  • One on the AP that forwards port 443 to 192.168.1.2:443;
  • One one the repeater that forwards 443 to 192.168.1.21:443.

Both rules do not work:

  • Regarding the first one, packets are forwarded by not accepted by the repeater;
  • Regarding the second one, it is not possible to add it (via the Web interface) because port-forwarding rule only accept the WAN interface as the external interface.

Does someone has any other workaround that comes to mind ?

Thanks,
Regards,
Thomas M.

The LAN IP of the repeater 192.168.2.1 is correct or some typo?
If it is correct, it won't be able to communicate with the .1.21 web server.
One more thing, are you bridging LAN and WLAN Client?

The 192.168.2.0 should be completely non-functional, strictly speaking you do not even need it. So everything should be configured on the 192.168.1.0 network.

If properly configured, the repeater should be completely transparent, and you should only need to configure the port redirection on the main router.

I guess you need to figure out why is it not working and where are packets being lost. See if port 443 on the web server can be reached from the main router. Check also if it works when you plug that machine directly to the main router.

By the way, is the firewall on the web server open to connections from an external IP address?