relayd: prevent forwarding of ARP packets

I have a Fritz!Box 7590 with stock firmware, and I'm trying to use a Linksys WRT1200AC running OpenWrt 19.07.4 to extend the wifi range. To help clarify which hosts are connected to what, they have different wifi networks with different passwords. I followed these instructions to set up relayd, except that I'm using ethernet over homeplug to connect the routers and wifi to connect the clients (the opposite of what's documented).

Some hosts have multiple network adapters, e.g. ethernet and wifi. If a host connects to the Fritz!Box with ethernet and the Linksys with wifi, I find that dhcpcd on the host detects an address conflict and gives up its address. I believe (but can't quite prove) that what's happening is:

  • Host sends "Gratuitous ARP" on ethernet to advertise its presence
  • OpenWrt sees the ARP packet and forwards it over wifi
  • Crucially, this forwarded packet appears to come from the Linksys's MAC
  • Host sees the forwarded packet on wifi with a different MAC
  • dhcpcd detects a conflict and decides it needs to abandon its address

These conflicts happen in both directions. When it detects conflict on ethernet it re-requests an address with DHCP, and Fritz!Box gives it the same address. But when the conflict is detected on wifi, the request is sent to OpenWrt and forwarded. This results in a different IP address. Since this happens constantly:

  1. Every DNS cache on the network has an outdated value for the host's current IP address, so I can't contact hosts by name
  2. The local network range quickly gets exhausted, forcing other hosts to give up their IP addresses

I'm looking for advice how to prevent this. My best guess is to set up a firewall rule attached to the REPEATER_BRIDGE interface that blocks ARP packets. But I don't have the first clue how to do that, it looks hard. Also, these ARP packets sound like they might be important, should I really block them?

Also, this is what I believe is happening after poring over pcap dumps in wireshark, but I might be mistaken. Does it sound likely, and is there anything I should do to confirm? I don't see any "distinguishing marks" on these gratuitous ARP packets to prove that they really are the same packet with the sender MAC changed.


The whole and single purpose of relayd is to (badly-) emulate a single broadcast domain, if that's not what you want, don't use it (in favour of a routed client setup with static routes on your Fritz!Box).

1 Like

I kinda would like a single broadcast domain - I have a couple of services broadcasting over the network and I'd like all hosts to see packets. But I can live without that. My real goal is for all hosts to reach each other by name regardless of which network they're attached to. Sounds like relayd isn't a good solution for that.

Setting up static routes for all hosts sounds like a pain. Instead I think I can make the Fritz!Box use the Linksys as its upstream DNS server, while the Linksys uses a real DNS server. This should allow all hosts to be reachable by name. I'll give it a go.