Problems with connecting to devices connected to a relayd bridge

I recently flashed OpenWrt onto a Linksys E5400 and, using relayd, have been using it as a wireless Ethernet bridge for an old OptiPlex that I sometimes play with.

I have a bit of a problem where, under Windows, I am unable to ping it from devices not connected to the bridge, while under Linux it works fine.

This also affects PXE booting as well; it gets the boot information from my main router, but it times out when trying to connect to my TFTP server (which is hosted on another machine). This occurs both in the network boot ROM and in Windows, but doesn't occur when the machine is directly connected to my main router. I haven't tested TFTP in Linux, nor have I tried something like IPXE for network booting.

Given that PXE booting works when directly connected to the network but not through the bridge, one could assume that something is afoul in the bridge, yet given that I can sucessfully ping the machine and use TFTP (and SSH) on Linux, I'm not really sure.

Has anyone else had this happen (at least the "not being able to ping devices on the bridge" part)? Is there a fix?

For the record, here's my firewall, network, and wireless configs

Firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'wwan'
        list network 'wwan6'
        option masq '1'

Network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda4:f068:7ebb::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.255.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0.2'
        option macaddr '80:69:1a:04:94:2f'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 6t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 6t'

config interface 'wwan'
        option proto 'static'
        option ipaddr '192.168.0.99'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'

config interface 'rbridge'
        option proto 'relay'
        option ipaddr '192.168.0.99'
        list network 'lan'
        list network 'wwan'

config interface 'wwan6'
        option proto 'dhcpv6'
        option device '@wwan'
        option reqaddress 'none'
        option reqprefix 'auto'
        option norelease '1'

Wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/10300000.wmac'
        option band '2g'
        option channel '1'
        option htmode 'HT20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '116'
        option htmode 'HT40'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'sta'
        option network 'wwan'
        option ssid '[REDACTED]'
        option bssid '[REDACTED]'
        option encryption 'psk2'
        option key '[REDACTED]'

Can we see the DHCP config also?

Here it is!

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'
        option filter_aaaa '0'
        option filter_a '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'
        option ra 'relay'
        option ndp 'relay'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'wwan'
        option interface 'wwan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option ignore '1'
        option master '1'
        option ra 'relay'
        option ndp 'relay'

You haven't disabled DHCPv4 on LAN. I [almost] think that IPv6 configuration isn't needed either.

You haven't disabled DHCPv4 on LAN.

DHCPv4 on lan is disabled, despite the DHCP options still being set, as the ignore option is set to 1.

I [almost] think that IPv6 configuration isn't needed either.

It definitely is, otherwise bridged devices wouldn't be able get an IPv6 address (this isn't mandatory, and on XP it doesn't do anything; it's only there so my Linux install can use IPv6).

My bad - I must have misread.

My problem with pinging the OptiPlex when running Windows proved to be user error; ICMP was disabled in the firewall settings.

The TFTP problem remains, however.

Using tcpdump, I found that the data packets from the TFTP server are making it to the E5400 itself, but they aren't making it to the LAN side.

LAN side (br-lan) tcpdump (first a standard Windows ping, then an attempted TFTP fetch), filter is host 192.168.0.11:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), snapshot length 262144 bytes
20:59:25.766178 IP 192.168.0.24 > 192.168.0.11: ICMP echo request, id 512, seq 256, length 40
20:59:25.769538 IP 192.168.0.11 > 192.168.0.24: ICMP echo reply, id 512, seq 256, length 40
20:59:26.761718 IP 192.168.0.24 > 192.168.0.11: ICMP echo request, id 512, seq 512, length 40
20:59:26.765017 IP 192.168.0.11 > 192.168.0.24: ICMP echo reply, id 512, seq 512, length 40
20:59:27.761704 IP 192.168.0.24 > 192.168.0.11: ICMP echo request, id 512, seq 768, length 40
20:59:27.764072 IP 192.168.0.11 > 192.168.0.24: ICMP echo reply, id 512, seq 768, length 40
20:59:28.761726 IP 192.168.0.24 > 192.168.0.11: ICMP echo request, id 512, seq 1024, length 40
20:59:28.764944 IP 192.168.0.11 > 192.168.0.24: ICMP echo reply, id 512, seq 1024, length 40
20:59:32.439191 ARP, Request who-has 192.168.0.11 tell 192.168.255.1, length 28
20:59:32.440959 ARP, Request who-has 192.168.0.11 (ff:ff:ff:ff:ff:ff) tell 192.168.0.11, length 28
20:59:32.441075 ARP, Reply 192.168.0.11 is-at 80:69:1a:04:94:2e, length 28
20:59:33.927563 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
20:59:34.918008 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
20:59:36.918031 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
20:59:39.806542 ARP, Request who-has 192.168.0.24 tell 192.168.0.11, length 28
20:59:39.806976 ARP, Reply 192.168.0.24 is-at 00:1e:4f:f1:0b:53, length 46
20:59:40.918052 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
20:59:47.499834 IP 192.168.0.11.138 > 192.168.0.255.138: UDP, length 190
20:59:48.918106 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
20:59:50.468957 IP 192.168.0.11.138 > 192.168.0.255.138: UDP, length 190
20:59:52.414594 IP 192.168.0.11.138 > 192.168.0.255.138: UDP, length 190
20:59:54.469113 IP 192.168.0.11.138 > 192.168.0.255.138: UDP, length 190
20:59:56.510704 IP 192.168.0.11.138 > 192.168.0.255.138: UDP, length 190
20:59:56.918147 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:00:02.443795 ARP, Request who-has 192.168.0.11 tell 192.168.255.1, length 28
21:00:02.445932 ARP, Request who-has 192.168.0.11 (ff:ff:ff:ff:ff:ff) tell 192.168.0.11, length 28
21:00:02.446051 ARP, Reply 192.168.0.11 is-at 80:69:1a:04:94:2e, length 28
21:00:04.918205 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:00:12.918252 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:00:20.918404 IP 192.168.0.24.1105 > 192.168.0.11.69: TFTP, length 23, ERROR EUNDEF "timeout on receive"
^C
30 packets captured
30 packets received by filter
0 packets dropped by kernel

Wi-Fi side (phy1-sta0) tcpdump output, same filter:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on phy1-sta0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
21:03:15.868419 IP 192.168.0.99 > 192.168.0.11: ICMP echo request, id 512, seq 1280, length 40
21:03:15.872712 IP 192.168.0.11 > 192.168.0.99: ICMP echo reply, id 512, seq 1280, length 40
21:03:16.872587 IP 192.168.0.99 > 192.168.0.11: ICMP echo request, id 512, seq 1536, length 40
21:03:16.874437 IP 192.168.0.11 > 192.168.0.99: ICMP echo reply, id 512, seq 1536, length 40
21:03:17.872576 IP 192.168.0.99 > 192.168.0.11: ICMP echo request, id 512, seq 1792, length 40
21:03:17.876655 IP 192.168.0.11 > 192.168.0.99: ICMP echo reply, id 512, seq 1792, length 40
21:03:18.872586 IP 192.168.0.99 > 192.168.0.11: ICMP echo request, id 512, seq 2048, length 40
21:03:18.878469 IP 192.168.0.11 > 192.168.0.99: ICMP echo reply, id 512, seq 2048, length 40
21:03:20.994095 ARP, Request who-has 192.168.0.99 tell 192.168.0.11, length 46
21:03:20.994176 ARP, Reply 192.168.0.99 is-at 80:69:1a:04:94:31, length 28
21:03:20.994847 ARP, Reply 192.168.0.99 is-at 80:69:1a:04:94:31, length 28
21:03:22.260310 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:03:22.268479 IP 192.168.0.11.43403 > 192.168.0.99.1107: UDP, length 516
21:03:22.268812 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:03:23.247654 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:03:23.253975 IP 192.168.0.11.42817 > 192.168.0.99.1107: UDP, length 516
21:03:23.254308 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:03:25.247657 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:03:25.263589 IP 192.168.0.11.35372 > 192.168.0.99.1107: UDP, length 516
21:03:25.263923 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:03:29.247702 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:03:29.256447 IP 192.168.0.11.58701 > 192.168.0.99.1107: UDP, length 516
21:03:29.256794 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:03:32.474969 ARP, Request who-has 192.168.0.11 tell 192.168.0.99, length 28
21:03:32.476967 ARP, Reply 192.168.0.11 is-at 3c:52:82:30:48:00, length 46
21:03:37.247745 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:03:37.260088 IP 192.168.0.11.47404 > 192.168.0.99.1107: UDP, length 516
21:03:37.260451 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:03:45.247830 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:03:45.258445 IP 192.168.0.11.41286 > 192.168.0.99.1107: UDP, length 516
21:03:45.258786 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:03:53.247829 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:03:53.255200 IP 192.168.0.11.40282 > 192.168.0.99.1107: UDP, length 516
21:03:53.255607 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:04:01.247873 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 33, RRQ "boot/grub/i386-pc/core.0" octet
21:04:01.255048 IP 192.168.0.11.42758 > 192.168.0.99.1107: UDP, length 516
21:04:01.255383 IP 192.168.0.99 > 192.168.0.11: ICMP 192.168.0.99 udp port 1107 unreachable, length 552
21:04:02.479526 ARP, Request who-has 192.168.0.11 tell 192.168.0.99, length 28
21:04:02.481368 ARP, Reply 192.168.0.11 is-at 3c:52:82:30:48:00, length 46
21:04:09.248009 IP 192.168.0.99.1107 > 192.168.0.11.69: TFTP, length 23, ERROR EUNDEF "timeout on receive"
^C
40 packets captured
40 packets received by filter
0 packets dropped by kernel

I ended up dispensing with relayd, and moved the bridge to another subnet, with a traffic rule to bring in the conntrack TFTP helper for TFTP connections. TFTP now works, and I am also able to PXE boot.

I wouldn't count this as a solution, however, given it doesn't fulfill my goal of having my devices bridged onto my main network and being able to PXE boot. But that isn't too difficult to work around.