I am trying to configure what I think is called a routed client using masquerade set up. At least, I believe that what I am trying to achieve is very similar to the diagram in the routed client documentation. In a nutshell, I am trying to use the two radios in a Netgear R6220 to make a private network that can access the ISPs wifi network for internet. Diagram with some further details for clarity.
These are the steps that I have taken to try and set this system up, always starting from the OpenWRT install / reset to defaults.
- Set root password
- Replace wpad-mini with wpad (ISP network uses WPA2-EAP)
- Using LuCI, enable radio1 (5 GHz) in client mode, scan, and join the ISP's network adding it to a new interface wwan which is placed in the wan firewall zone. The existing master configuration is replaced with this client one.
- Continuing with the web interface, enable radio0 (2.4 GHz) in master mode using WPA2-PSK encryption
After following these steps, my router has the following configuration. Note that I have removed many at symbols since the forum was freaking out about me tagging users.
uci show wireless
wireless.radio0=wifi-device
wireless.radio0.type='mac80211'
wireless.radio0.channel='11'
wireless.radio0.hwmode='11g'
wireless.radio0.path='pci0000:00/0000:00:01.0/0000:02:00.0'
wireless.radio0.htmode='HT20'
wireless.radio0.country='00'
wireless.radio0.legacy_rates='1'
wireless.default_radio0=wifi-iface
wireless.default_radio0.device='radio0'
wireless.default_radio0.network='lan'
wireless.default_radio0.mode='ap'
wireless.default_radio0.ssid='MyPrivateAP'
wireless.default_radio0.encryption='psk2'
wireless.default_radio0.key='MyPrivateKey'
wireless.radio1=wifi-device
wireless.radio1.type='mac80211'
wireless.radio1.hwmode='11a'
wireless.radio1.path='pci0000:00/0000:00:00.0/0000:01:00.0'
wireless.radio1.htmode='VHT80'
wireless.radio1.disabled='0'
wireless.radio1.channel='40'
wireless.radio1.country='00'
wireless.radio1.legacy_rates='1'
wireless.wifi-iface[1]=wifi-iface
wireless.wifi-iface[1].network='wwan'
wireless.wifi-iface[1].ssid='myisp'
wireless.wifi-iface[1].device='radio1'
wireless.wifi-iface[1].mode='sta'
wireless.wifi-iface[1].bssid='00:00:00:00:00:00'
wireless.wifi-iface[1].encryption='wpa2'
wireless.wifi-iface[1].eap_type='peap'
wireless.wifi-iface[1].auth='EAP-MSCHAPV2'
wireless.wifi-iface[1].identity='user@isp.net'
wireless.wifi-iface[1].password='password'
uci show network
network.loopback=interface
network.loopback.ifname='lo'
network.loopback.proto='static'
network.loopback.ipaddr='127.0.0.1'
network.loopback.netmask='255.0.0.0'
network.globals=globals
network.globals.ula_prefix='fd13:1f4b:34df::/48'
network.lan=interface
network.lan.type='bridge'
network.lan.ifname='eth0.1'
network.lan.proto='static'
network.lan.ipaddr='192.168.1.1'
network.lan.netmask='255.255.255.0'
network.lan.ip6assign='60'
network.lan_dev=device
network.lan_dev.name='eth0.1'
network.lan_dev.macaddr='08:02:8e:e8:55:69'
network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='dhcp'
network.wan_dev=device
network.wan_dev.name='eth0.2'
network.wan_dev.macaddr='08:02:8e:e8:55:68'
network.wan6=interface
network.wan6.ifname='eth0.2'
network.wan6.proto='dhcpv6'
network.switch[0]=switch
network.switch[0].name='switch0'
network.switch[0].reset='1'
network.switch[0].enable_vlan='1'
network.switch_vlan[0]=switch_vlan
network.switch_vlan[0].device='switch0'
network.switch_vlan[0].vlan='1'
network.switch_vlan[0].ports='0 1 2 3 6t'
network.switch_vlan[1]=switch_vlan
network.switch_vlan[1].device='switch0'
network.switch_vlan[1].vlan='2'
network.switch_vlan[1].ports='4 6t'
network.wwan=interface
network.wwan.proto='dhcp'
uci show firewall
firewall.defaults[0]=defaults
firewall.defaults[0].syn_flood='1'
firewall.defaults[0].input='ACCEPT'
firewall.defaults[0].output='ACCEPT'
firewall.defaults[0].forward='REJECT'
firewall.zone[0]=zone
firewall.zone[0].name='lan'
firewall.zone[0].input='ACCEPT'
firewall.zone[0].output='ACCEPT'
firewall.zone[0].forward='ACCEPT'
firewall.zone[0].network='lan'
firewall.zone[1]=zone
firewall.zone[1].name='wan'
firewall.zone[1].input='REJECT'
firewall.zone[1].output='ACCEPT'
firewall.zone[1].forward='REJECT'
firewall.zone[1].masq='1'
firewall.zone[1].mtu_fix='1'
firewall.zone[1].network='wan wan6 wwan'
firewall.forwarding[0]=forwarding
firewall.forwarding[0].src='lan'
firewall.forwarding[0].dest='wan'
firewall.rule[0]=rule
firewall.rule[0].name='Allow-DHCP-Renew'
firewall.rule[0].src='wan'
firewall.rule[0].proto='udp'
firewall.rule[0].dest_port='68'
firewall.rule[0].target='ACCEPT'
firewall.rule[0].family='ipv4'
firewall.rule[1]=rule
firewall.rule[1].name='Allow-Ping'
firewall.rule[1].src='wan'
firewall.rule[1].proto='icmp'
firewall.rule[1].icmp_type='echo-request'
firewall.rule[1].family='ipv4'
firewall.rule[1].target='ACCEPT'
firewall.rule[2]=rule
firewall.rule[2].name='Allow-IGMP'
firewall.rule[2].src='wan'
firewall.rule[2].proto='igmp'
firewall.rule[2].family='ipv4'
firewall.rule[2].target='ACCEPT'
firewall.rule[3]=rule
firewall.rule[3].name='Allow-DHCPv6'
firewall.rule[3].src='wan'
firewall.rule[3].proto='udp'
firewall.rule[3].src_ip='fc00::/6'
firewall.rule[3].dest_ip='fc00::/6'
firewall.rule[3].dest_port='546'
firewall.rule[3].family='ipv6'
firewall.rule[3].target='ACCEPT'
firewall.rule[4]=rule
firewall.rule[4].name='Allow-MLD'
firewall.rule[4].src='wan'
firewall.rule[4].proto='icmp'
firewall.rule[4].src_ip='fe80::/10'
firewall.rule[4].icmp_type='130/0' '131/0' '132/0' '143/0'
firewall.rule[4].family='ipv6'
firewall.rule[4].target='ACCEPT'
firewall.rule[5]=rule
firewall.rule[5].name='Allow-ICMPv6-Input'
firewall.rule[5].src='wan'
firewall.rule[5].proto='icmp'
firewall.rule[5].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type' 'router-solicitation' 'neighbour-solicitation' 'router-advertisement' 'neighbour-advertisement'
firewall.rule[5].limit='1000/sec'
firewall.rule[5].family='ipv6'
firewall.rule[5].target='ACCEPT'
firewall.rule[6]=rule
firewall.rule[6].name='Allow-ICMPv6-Forward'
firewall.rule[6].src='wan'
firewall.rule[6].dest='*'
firewall.rule[6].proto='icmp'
firewall.rule[6].icmp_type='echo-request' 'echo-reply' 'destination-unreachable' 'packet-too-big' 'time-exceeded' 'bad-header' 'unknown-header-type'
firewall.rule[6].limit='1000/sec'
firewall.rule[6].family='ipv6'
firewall.rule[6].target='ACCEPT'
firewall.rule[7]=rule
firewall.rule[7].name='Allow-IPSec-ESP'
firewall.rule[7].src='wan'
firewall.rule[7].dest='lan'
firewall.rule[7].proto='esp'
firewall.rule[7].target='ACCEPT'
firewall.rule[8]=rule
firewall.rule[8].name='Allow-ISAKMP'
firewall.rule[8].src='wan'
firewall.rule[8].dest='lan'
firewall.rule[8].dest_port='500'
firewall.rule[8].proto='udp'
firewall.rule[8].target='ACCEPT'
firewall.include[0]=include
firewall.include[0].path='/etc/firewall.user'
At this point, OpenWRT has internet access. I can ping google, run opkg update, and install tcpdump which I found useful for debugging. Devices in the 192.168.0.0/24 network can ping 192.168.1.1, 10.1.0.2 and even 10.1.0.1, but not further (e.g., to 1.1.1.1). When I run two instances of tcpdump on my router, that is, tcpdump -ni eth0 icmp and tcpdump -ni wlan1 icmp, while pinging 1.1.1.1 from an ethernet device, I can see that my ICMP packets are finding their way out to the internet and that I am getting a reply, but OpenWRT is not forwarding those replies to the devices in the 192.168.0.0/24 network.
tcpdump -ni eth0 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
18:39:39.781293 IP 192.168.1.102 > 1.1.1.1: ICMP echo request, id 10601, seq 1, length 64
18:39:40.791117 IP 192.168.1.102 > 1.1.1.1: ICMP echo request, id 10601, seq 2, length 64
18:39:41.815154 IP 192.168.1.102 > 1.1.1.1: ICMP echo request, id 10601, seq 3, length 64
tcpdump -ni wlan1 icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan1, link-type EN10MB (Ethernet), capture size 262144 bytes
18:39:39.781580 IP 10.1.0.2 > 1.1.1.1: ICMP echo request, id 10601, seq 1, length 64
18:39:39.791636 IP 1.1.1.1 > 10.1.0.2: ICMP echo reply, id 10601, seq 1, length 64
18:39:39.791860 IP 10.1.0.2 > 1.1.1.1: ICMP time exceeded in-transit, length 92
18:39:39.814686 IP 10.1.0.2 > 139.59.210.197: ICMP time exceeded in-transit, length 68
18:39:40.014720 IP 10.1.0.2 > 139.59.210.197: ICMP time exceeded in-transit, length 68
18:39:40.791284 IP 10.1.0.2 > 1.1.1.1: ICMP echo request, id 10601, seq 2, length 64
18:39:40.802044 IP 1.1.1.1 > 10.1.0.2: ICMP echo reply, id 10601, seq 2, length 64
18:39:40.802313 IP 10.1.0.2 > 1.1.1.1: ICMP time exceeded in-transit, length 92
18:39:41.132464 IP 10.1.0.2 > 139.59.210.197: ICMP time exceeded in-transit, length 68
18:39:41.387817 IP 10.1.0.2 > 216.58.208.99: ICMP time exceeded in-transit, length 68
18:39:41.643940 IP 10.1.0.2 > 216.58.208.99: ICMP time exceeded in-transit, length 68
18:39:41.815319 IP 10.1.0.2 > 1.1.1.1: ICMP echo request, id 10601, seq 3, length 64
18:39:41.826429 IP 1.1.1.1 > 10.1.0.2: ICMP echo reply, id 10601, seq 3, length 64
18:39:41.826703 IP 10.1.0.2 > 1.1.1.1: ICMP time exceeded in-transit, length 92
18:39:42.614793 IP 10.1.0.2 > 139.59.210.197: ICMP time exceeded in-transit, length 68
I have tried many different things to get data flowing in both directions without much luck. This includes trying to move wlan1 out of the wwan interface and putting it inside of wan interface so that the firewall set up for the normal wan interface configuration would be applied (sometimes removing eth0.2 in case it was interfering). I have tried following the routed client documentation but it feels outdated and I usually end up with a less working configuration than what I get when I follow the steps above. Any hints would really be appreciated!