Routed AP, but wifi clients aren't routed

Installing and Using OpenWrt Network and Wireless Configuration
1

Seeking a clue on bridging or routing.

I'm generally following the "Routed AP" user guide for a Ubiquiti AP AC Pro. I've got basic networking working -- except Internet for wifi clients. [By basic I mean: a wifi client can ping any IP on the AP; while ssh'd to the AP I can ping wifi clients, the default router and external Internet hosts; DNS, DHCP, NTP work for the wifi clients; syslog for the AP works.]

I think I'm just missing something vital in the documentation regarding bridging or routing. Apologies in advance -- this really should be a rather vanilla configuration. However, I've been going in circles all day on this.

Details:
OpenWrt 18.06.1, r7258-5eb055306f

The AP's LAN port is connected to a switch configured for 192.168.0.0/24.
A cable modem is at 192.168.1.1.
192.168.2.0/24 is used by another AP for an existing wireless network.
192.168.3.0/24 is used by another AP for an existing wireless network.

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         192.168.0.1     0.0.0.0         UG    0      0        0 br-lan
192.168.0.0     *               255.255.255.0   U     0      0        0 br-lan
192.168.4.0     *               255.255.255.0   U     0      0        0 wlan0
192.168.5.0     *               255.255.255.0   U     0      0        0 wlan1

/etc/config/network (partial):

config interface 'lan'
	option ifname 'eth0.1'
	option type 'bridge'
	option proto 'static'
	option ip6assign '60'
	option ipaddr '192.168.0.250'
	option netmask '255.255.255.0'
	option gateway '192.168.0.1'
	option broadcast '192.168.0.255'
	option dns '8.8.4.4 8.8.8.8'

config interface 'wifi24'
	option proto 'static'
	option ipaddr '192.168.4.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.4.255'

config interface 'wifi50'
	option proto 'static'
	option ipaddr '192.168.5.1'
	option netmask '255.255.255.0'
	option broadcast '192.168.5.255'
<snip>

/etc/config/wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'
	option country 'US'
	option legacy_rates '1'
	option distance '30'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TweedleDee24'
	option encryption 'psk2+ccmp'
	option key 'someKey'
	option network 'wifi24'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/qca956x_wmac'
	option htmode 'HT20'
	option country 'US'
	option legacy_rates '1'
	option distance '30'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TweedleDee50'
	option encryption 'psk2+ccmp'
	option key 'someKey'
	option network 'wifi50'

/etc/config/firewall (default, plus the following):

config forwarding
	option src 'wifi24'
	option dest 'lan' 
                         
config forwarding        
	option src 'wifi50'
	option dest 'lan'
2

What device is located at 192.168.0.1 and used as a router?

It needs static routes to 192.168.4.0/24 and 192.168.5.0/24. (A single route to 192.168.4.0/23 covers both.) The router also need to apply NAT to traffic that it sends to the internet from these subnets.

The alternative to above is to enable NAT on the "Routed AP", i.e. enable "masquerade" on the lan zone. This results in double NAT which you generally want to avoid.

3

192.168.0.1 is a firewall. WiFi clients cannot even reach anything in 192.168.0.0/24 as yet, though. So I'll hold off on messing with the firewall for now.

IP masquerading makes sense, though there's nothing about it in the default set-up and no mention of it on the "Routed AP" page. Is there anything more to it than what LuCi adds --

config zone
	option name 'wifi24'
	option network 'wifi24'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	**option masq '1'**

config zone
	option name 'wifi50'
	option network 'wifi50'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	**option masq '1'**

?

Routes to wlan0 and wlan1 are already in the AP's routing table --

192.168.4.0     *               255.255.255.0   U     0      0        0 wlan0
192.168.5.0     *               255.255.255.0   U     0      0        0 wlan1

Did you mean something else?

4

I hade a look at the page, and the configuration is based on the OpenWrt default configuration. But you are using a modified configuration with the default gateway on the lan interface. (The wan interface use masquerade by default.)

The routes are needed on the devices in 192.168.0.0/24, or at least the router/firewall which is the default gateway used on those devices.

5

I agree. Thanks for the help, mikma.

Static routes on the default router / firewall at 192.168.0.1 were needed. Packets were getting out, but were not getting routed back. On 192.168.0.2 --

tcpdump icmp -n
23:31:31.144604 IP 192.168.5.131 > 192.168.0.2: ICMP echo request, id 14, seq 1, length 64
23:31:31.144665 IP 192.168.0.2 > 192.168.5.131: ICMP echo reply, id 14, seq 1, length 64
23:31:32.135018 IP 192.168.5.131 > 192.168.0.2: ICMP echo request, id 14, seq 2, length 64
23:31:32.135070 IP 192.168.0.2 > 192.168.5.131: ICMP echo reply, id 14, seq 2, length 64
23:31:33.144512 IP 192.168.5.131 > 192.168.0.2: ICMP echo request, id 14, seq 3, length 64
23:31:33.144560 IP 192.168.0.2 > 192.168.5.131: ICMP echo reply, id 14, seq 3, length 64

Masquerading wasn't needed at the AP; the cable modem handles it.

6

Trying to mark this thread as "Solved."

7

If your problem is solved, feel free to mark the relevant post as the solution (like in the example below); and edit the title to add "[SOLVED]" to the beginning (click the pencil behind the topic).

grafik

8

OK, let's see if I've got this [SOLVED] bit right.

9

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.