Routed AP no internet connection

skuppa · January 1, 2019, 11:26pm

I followed the Routed AP configuration wiki, https://openwrt.org/docs/guide-user/network/wifi/routedap but internet communication not properly working, DNS resolves the IP address but communication between the target host and client computer is not working.

My main router IP address is 192.168.55.1 and OpenWRT router is configured with 192.168.2.1/24 subnet. My configuration as follows.

/etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0'
        option proto 'static'
        option ipaddr '192.168.55.3'
        option netmask '255.255.255.0'
        option gateway '192.168.55.1'
        option dns '192.168.55.1'

config interface 'wifi'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option gateway '192.168.55.1'
        option dns '192.168.55.1'

/etc/config/firewall (+ default configuration from openwrt install)

config zone
	option name 'wifi'
	list network 'wifi'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'wifi'
	option dest 'wan'

config forwarding
	option src 'lan'
	option dest 'wifi'

config forwarding
	option src 'wifi'
	option dest 'lan'

/etc/config/wireless

config wifi-device 'wl0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/3f300000.mmc/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
	option htmode 'VHT80'
	option disabled '0'

config wifi-iface
	option device 'wl0'
	option network 'wifi'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
    option key 'some password'

From OpenWrt console, I am able to ping the google.com and install packages, everything works great.

root@OpenWrt:~# ping google.com
PING google.com (216.58.195.238): 56 data bytes
64 bytes from 216.58.195.238: seq=0 ttl=53 time=12.024 ms
64 bytes from 216.58.195.238: seq=1 ttl=53 time=12.390 ms
64 bytes from 216.58.195.238: seq=2 ttl=53 time=11.487 ms
64 bytes from 216.58.195.238: seq=3 ttl=53 time=11.929 ms

I am able to connect to the Wifi network OpenWrt and I get an IP address. When I ping from my client computer then I am getting request timeout and I am missing some configuration, I would really appreciate if someone gives some guidelines to resolve this issue.

From OpenWrt console (tcpdump)

root@OpenWrt:~# tcpdump icmp -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
23:20:17.220716 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 0, length 64
23:20:18.226091 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 1, length 64
23:20:19.230200 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 2, length 64
23:20:20.233514 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 3, length 64
23:20:21.233639 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 4, length 64
23:20:21.528415 IP 192.168.55.3 > 192.168.55.1: ICMP 192.168.55.3 udp port 137 unreachable, length 86
23:20:22.070366 IP 192.168.55.3 > 192.168.55.1: ICMP 192.168.55.3 udp port 137 unreachable, length 86
23:20:22.235002 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 5, length 64
23:20:23.234857 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 6, length 64
23:20:24.236183 IP 192.168.2.110 > 216.58.195.238: ICMP echo request, id 16427, seq 7, length 64
^C
10 packets captured
10 packets received by filter
0 packets dropped by kernel

From client computer

^^>>> ping google.com                                                                                                                                  15:20:09
PING google.com (216.58.195.238): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
Request timeout for icmp_seq 4
Request timeout for icmp_seq 5
Request timeout for icmp_seq 6

Thanks in Adv,
-Kuppa

mk24 · January 1, 2019, 11:55pm

Main network must be a different IP range than the sub-router's LAN that you're routing from. Not sure exactly what you've done here but it looks like it does not meet that criteria.

I suggest you start over with a default configuration. The default 'lan' and 'wan' interfaces and firewall rules will work. There is no need to create others (yet).

Set LAN IP to 192.168.55.1 and re-login to your router on the new address.
Remove ethernet interface from the wan network. wan network must not be a bridge.
Static IP the WAN (in the 192.168.2.X range, gateway and DNS point to the main router (192.168.2.1) or (I recommend) you can leave it a DHCP client.
Create a wifi client with credentials to connect to the main router, and attach it to the wan network.

skuppa · January 2, 2019, 1:27am

Thanks for the response. I think, my question is not clear.

My main router is 192.168.55.1
OpenWrt AP is 192.168.2.1

they both are in two different subnetworks.

I created a wan network with eth0 (without bridge) and deleted lan (br-lan) network. It works now.

My goal is to create an AP, ethernet port connects to the existing network (main network) and clients will be accessing the subnetwork (openwrt routed ap) network via wireless only. I wanted to keep this network separate from the main network since this network going to have a separate configuration such as caching configuration.

Thanks,
-Kuppa

trendy · January 3, 2019, 10:52pm

Looks to me that the main router doesn't have a route for 192.168.2.0/24 via 192.168.55.3

lleachii · January 4, 2019, 5:56pm

The gateway is INVALID here. It's not in the same subnet as the host:

skuppa:

config interface 'wifi'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option gateway '192.168.55.1'
        option dns '192.168.55.1'

mk24 · January 4, 2019, 8:19pm

If you're connected by wire the default configuration already does what you want. Simply plug in the WAN port to a LAN port of the main router. If your main router does not issue DHCP you need to set a static IP on the wan network (in the main router's range, 192.168.55.x but not 55.1) and make the gateway and DNS 192.168.55.1, again this is in the WAN network only.

I'm not sure what your "wifi" network is for. If it is a guest network it needs to be in a different range than either the wan or the lan. Make an additional firewall zone for the guests and forward from wifi to wan.

trendy · January 5, 2019, 1:38pm

Yes, it is invalid hence it will be ignored. But this is not the problem, because the router already has the default gateway on lan interface, in wifi it is not needed.

@skuppa please post the whole configuration. You mention the wan interface on the firewall configuration, but only the lan and wifi are shown in network configuration. And the lan seems to be acting as wan, as it connects upstream. Did you add the static route in the main router?

bmsleight · December 20, 2020, 1:04pm

Drove me mad - for anyone else...

Need to ass "option masq 1" to lan firewall

config zone                                            
        option name             lan           
        list   network          'lan'        
        option input            ACCEPT    
        option output           ACCEPT             
        option forward          ACCEPT             
        option masq 1