Problems with Bridged AP setup

I have a pfsense box as my main firewall for my network at the moment. I just got a LinkStar H68K that I intend to use as a travel router with a vpn client. I figured that when I'm not travelling, I could use the router as a wireless access point for my room, as I have a network switch in my closet. I would like clients connected to the wireless network to be assigned ip addresses by the dhcp server on my main router.

I'd like to note that I am using LuCI to configure my LinkStar, as it comes with the custom installation. I started with a clean installation of openwrt and changed the lan interface to have a static ip address on the same subnet as my router (let's say my main router is 192.168.0.1, lan on openwrt would be 192.168.0.2) and set the ipv4 gateway to the ip of my pfsense router. I then disabled dhcp & dhcpv6 for the interface via the submenu at the bottom of the lan configuration screen. The only other things I did was set an admin password for the web ui and reconfigure the default wireless network to use wpa3 security.

At this point, the network does not seem to bridge over eth1, eth2, eth3 as it's supposed to (this is default configuration for LinkStar). If I disable the firewall in openwrt entirely, then physically connecting to any of these ports works as expected (ip addr received from pfsense, internet and lan connectivity work fine). I don't understand why the firewall matters given I am only using the lan interface. The remaining issue is the wireless network. When I access the wifi network with my phone, I do not have internet access, nor can I ping other devices on my network (including pfsense). My windows laptop on the other hand, won't even let me connect to the wifi network (it has a circled 'x' on top of the wifi symbol for the network).

It seems to me like I've set everything up correctly, does anyone know what I might be doing wrong?

I don't know that I'd recommend this dual-purpose use-case (home as dumb AP, travel as VPN router) because it involves some rather significant config changes between those two modes, and it could be a bit of a pain to make those changes each time... but that's not necessarily a huge deal.

But... on your main issue... let's see the config

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
2 Likes

Thank you for your quick response!
I have considered that reconfiguring the router whenever I travel would be a pain, but I noticed that there is a config backup/restoration feature present in the web interface that might save me some pain. Anyways, having it setup as a ap just gives me something to use it for while I'm home and to be honest I'm trying to use it as an opportunity to become more comfortable with networking (I've been testing several different network configurations, but I've been factory resetting so none of my previous tests should be influencing current results).

Here are the files you asked for

/etc/config/network:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fdb1:e107:fa72::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.2'
        option _orig_ifname 'eth1 eth2 eth3 radio0.network1'
        option _orig_bridge 'true'
        option ifname 'eth1 eth2'
        option gateway '192.168.0.1'
        option dns '192.168.0.1'

config device 'lan_eth1_dev'
        option name 'eth1'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device 'lan_eth2_dev'
        option name 'eth2'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config device 'lan_eth3_dev'
        option name 'eth3'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config device 'wan_eth0_dev'
        option name 'eth0'
        option macaddr 'xx:xx:xx:xx:xx:xx'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'

config interface 'vpn0'
        option ifname 'tun0'
        option proto 'none'

config interface 'docker'
        option ifname 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config interface 'ipsec_server'
        option ifname 'ipsec0'
        option device 'ipsec0'
        option proto 'static'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'OPT'
        option proto 'static'
        option ifname 'eth3'
        option ip6assign '60'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

/etc/config/wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path '3c0000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option country 'US'
        option legacy_rates '1'
        option mu_beamformer '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option network 'lan'
        option ssid 'H69K'
        option encryption 'sae'
        option key '************'

/etc/config/dhcp:

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option filter_aaaa '0'
        option cachesize '8000'
        option mini_ttl '3600'
        option ednspacket_max '1232'
        option noresolv '0'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'OPT'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'OPT'
        option ra 'server'
        option dhcpv6 'server'
        option ra_management '1'

/etc/config/firewall:

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option flow_offloading '1'
        option flow_offloading_hw '1'
        option fullcone '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

config include 'zerotier'
        option type 'script'
        option path '/etc/zerotier.start'
        option reload '1'

config include 'miniupnpd'
        option type 'script'
        option path '/usr/share/miniupnpd/firewall.include'
        option family 'any'
        option reload '1'

config include 'luci_app_ipsec_server'
        option type 'script'
        option path '/var/etc/ipsecvpn.include'
        option reload '1'

config include 'mia'
        option type 'script'
        option path '/etc/mia.include'
        option reload '1'

config rule 'openvpn'
        option name 'openvpn'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp udp'
        option dest_port '1194'

config zone 'vpn'
        option name 'vpn'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option masq '1'
        option network 'vpn0'

config forwarding 'vpntowan'
        option src 'vpn'
        option dest 'wan'

config forwarding 'vpntolan'
        option src 'vpn'
        option dest 'lan'

config forwarding 'lantovpn'
        option src 'lan'
        option dest 'vpn'

config include 'pptpd'
        option type 'script'
        option path '/etc/pptpd.include'
        option reload '1'

config rule 'pptp'
        option name 'pptp'
        option target 'ACCEPT'
        option src 'wan'
        option proto 'tcp'
        option dest_port '1723'

config rule 'gre'
        option name 'gre'
        option target 'ACCEPT'
        option src 'wan'
        option proto '47'

config zone 'docker'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option name 'docker'
        list network 'docker'
        list network 'docker'

config zone 'ipsecserver'
        option name 'ipsecserver'
        option input 'ACCEPT'
        option forward 'ACCEPT'
        option output 'ACCEPT'
        option network 'ipsec_server'

config zone
        option name 'OPT'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'OPT'

What version of OpenWrt are you using?

ubus call system board
1 Like

R22.11.13

I flashed the operating system provided by seeed studio for the LinkStar
LinkStar Operating System Installation Instructions

Here is the full printout of the command you gave me:

{
        "kernel": "4.19.245-android",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 0",
        "model": "H68K Series",
        "board_name": "hinlink,opc-h68k-d",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "target": "rockchip/armv8",
                "revision": "R22.11.13",
                "description": "OpenWrt "
        }
}

You need to request help from LinkStar. This is not standard OpenWrt -- it is highly customized by LinkStar, making it considerably different than the official project. Further, the syntax is not even close to what is used by any current version of OpenWrt, so advice you get here will likely steer you in the wrong direction.

2 Likes

Understood, I'm new to using openwrt, so I wasn't sure how different it was. Thank you for your help!

You're welcome. Sorry we can't help you here.... we're really only able to help out with the official version of OpenWrt or closely related forks that are created by community members (see the community projects section).

I don't think your device is supported by the official project, but for devices that are running OpenWrt from here, we're always around to help.

1 Like

This topic was automatically closed after 13 hours. New replies are no longer allowed.