Routing AP WiFi through Ethernet

waywaygone · December 30, 2021, 6:07pm

I'm trying to configure a handheld device running an older version of OpenWrt (CHAOS CALMER (15.05).

In a normal scenario, the WiFi is setup in AP mode and an application running on a mobile device (Android or iOS) connects to the WiFi using a known IP (192.168.100.1). The majority of the time, the device is not connected via Ethernet and the Android/iOS application is simply interacting with the OpenWrt device.

Most times, the Android or iOS device has Internet connectivity through its own network such as LTE, etc.

I am looking for a solution where if the Ethernet port is connected to a "real network" that the Android or iOS device could connect to the OpenWrt AP and route through the device through the Ethernet port. This would be in a scenario that LTE, etc. is not available.

Note that when connected to Ethernet, we want to have that port using DHCP to get its IP from the "real" router while still having the WIFI in AP mode using the 192.168.100.1 address.

I have tried a number of the suggested ways of doing this such as Dumb AP and Bridged AP, as well as, Routed Client. However, most seem to get partially there meaning, I either get Internet access but lose the AP or have the AP but cannot route through.

My current configuration files look like the following snippets. What am I missing?

Thanks.

/etc/config/network

	config interface 'loopback'
	        option ifname 'lo'
	        option proto 'static'
	        option ipaddr '127.0.0.1'
	        option netmask '255.0.0.0'

	config globals 'globals'
	        option ula_prefix 'fd15:938e:db31::/48'

	config interface 'lan'
	        option ifname 'eth0'
	        option force_link '1'
	        option macaddr '9c:65:f9:37:9f:01'
	        option type 'bridge'
	        option proto 'static'
	        option netmask '255.255.255.0'
	        option ip6assign '60'
	        option ipaddr '192.168.100.1'

	config switch
	        option name 'switch0'
	        option reset '1'
	        option enable_vlan '0'

	config interface 'wan'
	        option proto 'dhcp'

=========================

/etc/config/dhcp

	config dnsmasq
	        option domainneeded '1'
	        option boguspriv '1'
	        option filterwin2k '0'
	        option localise_queries '1'
	        option rebind_protection '1'
	        option rebind_localhost '1'
	        option local '/lan/'
	        option domain 'lan'
	        option expandhosts '1'
	        option nonegcache '0'
	        option authoritative '1'
	        option readethers '1'
	        option leasefile '/tmp/dhcp.leases'
	        option resolvfile '/tmp/resolv.conf.auto'
	        option localservice '1'
	        option dhcp_option '3'

	config dhcp 'lan'
	        option interface 'lan'
	        option start '100'
	        option limit '150'
	        option leasetime '12h'
	        option dhcpv6 'server'
	        option ra 'server'

	config dhcp 'wan'
	        option interface 'wan'
	        option ignore '1'

	config odhcpd 'odhcpd'
	        option maindhcp '0'
	        option leasefile '/tmp/hosts/odhcpd'
	        option leasetrigger '/usr/sbin/odhcpd-update'

=========================

/etc/config/firewall

	config defaults
	        option syn_flood '1'
	        option input 'ACCEPT'
	        option output 'ACCEPT'
	        option forward 'REJECT'

	config zone
	        option name 'lan'
	        list network 'lan'
	        option input 'ACCEPT'
	        option output 'ACCEPT'
	        option forward 'ACCEPT'

	config zone
	        option name 'wan'
	        list network 'wan'
	        list network 'wan6'
	        option output 'ACCEPT'
	        option forward 'REJECT'
	        option masq '1'
	        option mtu_fix '1'
	        option input 'ACCEPT'

	config forwarding
	        option src 'lan'
	        option dest 'wan'

	config rule
	        option name 'Allow-DHCP-Renew'
	        option src 'wan'
	        option proto 'udp'
	        option dest_port '68'
	        option target 'ACCEPT'
	        option family 'ipv4'

	config rule
	        option name 'Allow-Ping'
	        option src 'wan'
	        option proto 'icmp'
	        option icmp_type 'echo-request'
	        option family 'ipv4'
	        option target 'ACCEPT'

	config rule
	        option name 'Allow-IGMP'
	        option src 'wan'
	        option proto 'igmp'
	        option family 'ipv4'
	        option target 'ACCEPT'

	config rule
	        option name 'Allow-DHCPv6'
	        option src 'wan'
	        option proto 'udp'
	        option src_ip 'fe80::/10'
	        option src_port '547'
	        option dest_ip 'fe80::/10'
	        option dest_port '546'
	        option family 'ipv6'
	        option target 'ACCEPT'

	config rule
	        option name 'Allow-MLD'
	        option src 'wan'
	        option proto 'icmp'
	        option src_ip 'fe80::/10'
	        list icmp_type '130/0'
	        list icmp_type '131/0'
	        list icmp_type '132/0'
	        list icmp_type '143/0'
	        option family 'ipv6'
	        option target 'ACCEPT'

	config rule
	        option name 'Allow-ICMPv6-Input'
	        option src 'wan'
	        option proto 'icmp'
	        list icmp_type 'echo-request'
	        list icmp_type 'echo-reply'
	        list icmp_type 'destination-unreachable'
	        list icmp_type 'packet-too-big'
	        list icmp_type 'time-exceeded'
	        list icmp_type 'bad-header'
	        list icmp_type 'unknown-header-type'
	        list icmp_type 'router-solicitation'
	        list icmp_type 'neighbour-solicitation'
	        list icmp_type 'router-advertisement'
	        list icmp_type 'neighbour-advertisement'
	        option limit '1000/sec'
	        option family 'ipv6'
	        option target 'ACCEPT'

	config rule
	        option name 'Allow-ICMPv6-Forward'
	        option src 'wan'
	        option dest '*'
	        option proto 'icmp'
	        list icmp_type 'echo-request'
	        list icmp_type 'echo-reply'
	        list icmp_type 'destination-unreachable'
	        list icmp_type 'packet-too-big'
	        list icmp_type 'time-exceeded'
	        list icmp_type 'bad-header'
	        list icmp_type 'unknown-header-type'
	        option limit '1000/sec'
	        option family 'ipv6'
	        option target 'ACCEPT'

	config include
	        option path '/etc/firewall.user'

	config rule
	        option src 'wan'
	        option dest 'lan'
	        option proto 'esp'
	        option target 'ACCEPT'

	config rule
	        option src 'wan'
	        option dest 'lan'
	        option dest_port '500'
	        option proto 'udp'
	        option target 'ACCEPT'

=========================

/etc/config/wireless

	config wifi-device 'radio0'
	        option type 'ralink'
	        option variant 'mt7628'
	        option country 'TW'
	        option hwmode '11g'
	        option htmode 'HT40'
	        option channel 'auto'
	        option linkit_mode 'ap'
	        option disabled '0'

	config wifi-iface 'ap'
	        option device 'radio0'
	        option mode 'ap'
	        option network 'lan'
	        option ifname 'ra0'
	        option encryption 'none'
	        option ssid 'AP_WIFI'
	        option seq '1'

	config wifi-iface 'sta'
	        option device 'radio0'
	        option mode 'sta'
	        option network 'wan'
	        option ifname 'apcli0'
	        option led 'mediatek:orange:wifi'
	        option ssid 'STA_WIFI'
	        option key 'TBD_KEY'
	        option encryption 'psk'

psherman · December 30, 2021, 6:30pm

I'll try to answer your question, but first...

OpenWrt 15.05 (Chaos Calmer) is ancient, unsupported, and has many known security vulnerabilities. It should not be used in any context that has a direct connection to the internet (many would say it shouldn't be used with any connection to the internet). You should consider upgrading to a newer version (19.07 or 21.02), and if your hardware isn't supported, that device should be retired.

Security aside, a lot has changed in the ensuing 6 years, so the configuration files, formatting nuances, and other things may be sufficiently different that most people (including myself) will probably not remember the ins-and-outs of that version anymore and thus may steer you in the wrong direction.

Now, with those warnings stated up front...

All you should need to do is remove this line from the lan network interface
option ifname 'eth0'
and then add that same line into the wan network interface.

This will put the ethernet port on the wan interface (which is configured as a DHCP client). The wan should get an IP from the upstream network, and the device should operate as a standard router. This should work as long as the upstream network does not overlap with your lan (192.168.100.0/24).

slh · December 30, 2021, 8:16pm

As there've been several high profile vulnerabilities in the wireless stack and drivers found a fixed in th mean time as well, these obsolete releases (lacking those fixes and more) shouldn't be used at all.

psherman · December 30, 2021, 8:35pm

Good point. I was thinking of the core functionality and didn’t even consider the major WiFi vulnerabilities that were revealed over the last few years.

waywaygone · January 3, 2022, 12:05am

Thanks.

I will try that simple change and also recommend/encourage/pester the platform team to upgrade to a newer, safer version of OpenWrt.

Thanks again!

mk24 · January 3, 2022, 12:50am

It's the mobile client's choice whether it will access the Internet via wifi instead of its 4G connection. Generally if DHCP is used and the wifi network advertises itself as a default gateway, the mobile will prefer that. If the mobile is configured as a static IP with no gateway set, it will continue to use 4G.

As far as an OpenWrt wifi AP being a path to the Internet, you can do that either as a bridge (dumb AP) or as a router. That's really a choice based on the upstream network. In the dumb AP scenario, the upstream router will be serving the clients' DHCP.

waywaygone · January 6, 2022, 2:50pm

I did try the "simple fix" proposed by psherman and it still appears to be 90% of the way there. The current network config, as well as the results and the route table are listed below.

When I connect a client to the access point, I get an address in the 192.16.100.xxx range (which is what I want), however, the router address associated with this WiFi connection on the client device (an iPad) is empty and it will not connect through the WAN side to the Internet.

I am pushing our hardware team to migrate to a newer version of OpenWrt but would like to see that this configuration can work.

Thanks in advance for any other suggestions.

# cat network 

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd2f:cf9c:4c9a::/48'

config interface 'lan'
        option force_link '1'
        option macaddr '9c:65:f9:37:9f:01'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.100.1'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '0'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'




# ifconfig
br-lan    Link encap:Ethernet  HWaddr 9C:65:F9:37:9F:01  
          inet addr:192.168.100.1  Bcast:192.168.100.255  Mask:255.255.255.0
          inet6 addr: fe80::9e65:f9ff:fe37:9f01/64 Scope:Link
          inet6 addr: fd2f:cf9c:4c9a::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:74 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:17540 (17.1 KiB)  TX bytes:9523 (9.2 KiB)

eth0      Link encap:Ethernet  HWaddr 9C:65:F9:37:9F:01  
          inet addr:10.0.0.83  Bcast:10.0.0.255  Mask:255.255.255.0
          inet6 addr: fe80::9e65:f9ff:fe37:9f01/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:28 errors:0 dropped:1 overruns:0 frame:0
          TX packets:132 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:4189 (4.0 KiB)  TX bytes:36009 (35.1 KiB)
          Interrupt:5 

eth0.1    Link encap:Ethernet  HWaddr 9C:65:F9:37:9F:01  
          inet6 addr: fe80::9e65:f9ff:fe37:9f01/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:5932 (5.7 KiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:601 errors:0 dropped:0 overruns:0 frame:0
          TX packets:601 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:35572 (34.7 KiB)  TX bytes:35572 (34.7 KiB)

ra0       Link encap:Ethernet  HWaddr 9C:65:F9:37:AB:1E  
          inet6 addr: fe80::9e65:f9ff:fe37:ab1e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:355 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:41343 (40.3 KiB)  TX bytes:17344 (16.9 KiB)
          Interrupt:6 



# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    0      0        0 eth0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth0
10.0.0.1        0.0.0.0         255.255.255.255 UH    0      0        0 eth0
192.168.100.0   0.0.0.0         255.255.255.0   U     0      0        0 br-lan

waywaygone · January 6, 2022, 7:56pm

May have solved the issue. The /etc/config/dhcp file had the following line included in the dnsmasq config definition. Documentation indicates that this actually disables the gateway.

I removed the line and now I can connect via the AP and access the Internet via the Ethernet port.

Now, just to convince the hardware team to upgrade to a newer version due to the security vulnerabilities of this old version. 99% of the time, it will not be connected via Ethernet so that may mitigate some of the concerns.

Thanks again for all your help!

tmomas · January 7, 2022, 12:03am

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.

waywaygone · January 7, 2022, 12:10pm

Solution involved two parts.

Moving the option ifname 'eth0' from the lan definition to the wan definition in /etc/config/network. (Thanks @psherman !)
Removing the option dhcp_option '3' from the dnsmasq definition in /etc/config/dhcp.

system · January 17, 2022, 12:11pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.