Relayd: cannot access bridge

Dear all,

I use relayd to extend my wlan using a Raspbery Pi. The Pi is connected via a lan cable on eth0 (wan) to a Fritzbox in another part of the house. Raspberry Pi runs Openwrt 21.02.0 and has a wifi network with the same SSID as the Fritzbox. Access to the Fritzbox and external websites from the Wifi of the Raspberry Pi is working. However, I cannot access the Raspberry Pi itself from the Wifi! I have already tried the suggestion from

https://oldwiki.archive.openwrt.org/doc/recipes/relayclient

to add the IP from the Fritzbox for the Raspberry Pi (in my case 192.168.101.109) to the network configuration. But I still cannot access the bridge from the Wifi if I am connected to the Raspberry Pi. I can connect to it with 192.168.101.109 if I am connected directly to the Wifi/lan of the Fritzbox. What am I doing wrong?

Here is config/network:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd90:cb64:46dc::/48'

config device
	option name 'br-lan'
	option type 'bridge'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device 'eth0'

config interface 'stabridge'
	option proto 'relay'
	option ipaddr '192.168.101.109'
	list network 'lan'
	list network 'wan'

and here config/firewall

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	list network 'stabridge'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config rule
	option name 'WAN-SSH'
	option src 'wan'
	option dest_port '22'
	option target 'ACCEPT'
	option proto 'tcp'

config rule
	option name 'WAN-HTTP'
	option src 'wan'
	option dest_port '80'
	option target 'ACCEPT'
	option proto 'tcp'

config rule
	option name 'WAN-HTTPS'
	option src 'wan'
	option dest_port '443'
	option target 'ACCEPT'
	option proto 'tcp'

If you are connected upstream by cable, you don't need relayd. DumbAP is more appropriate.

Hi @trendy, thank you for this tip! That solved my problem. I followed this guide to set-up a "DumpAP":

Now I have access to the network and the Raspberry Pi itself! One more quick question: The guide also suggested to tell the DHCPv6 client not to request prefix delegation.

config interface 'lan6'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'

I want to use IPv6 on the wifi clients but only IP4 to reach the bridge. Do i therefore need to do these settings? Any insights, I am not entirely clear what this will do.

If you don't need to add IPv6 on the bridge interface, you can remove the lan6 altogether.

OK, thank you for your help! will do.