I am been searching through postings with regards to this and nothing appears to work.
I suspect I have to turn off the firewall on the client but that seems to cause more problems.
Does anyone have a solution for the following?
I have an Openwrt router, Linksys WRT3200ACM, working as an access point
and as an internet gateway. The subnet is 192.168.207.0. As well, I have an Openwrt
router, Openwrt One, working as a wireless client to the Linksys host. It's subnet is 192.168.101.0. Both are running version 23.05.2. The One router sees the linksys as it's gateway.
I have full internet access from the One clients, and access to the clients connected to the Linksys. I cannot access the clients on the second subnet from the first subnet even though I followed the instructions found here -
https://openwrt.org/docs/guide-user/network/wifi/wifiextenders/wds
To me it looks like a firewall issue but I am uncertain how to shutdown the firewall or reassign its zone. Any advice is appreciated.
The general guidance is that you need to:
- Disable masquerading on the downstream router (One)
- Allow forwarding from the wan zone (or whatever zone is used for the uplink network) > lan on the downstream router (One)
- Set a static route on the upstream router (WRT3200ACM).
The static route would be 192.168.101.0/24 via 192.168.207.x where x is the address of the OpenWrt One on the WRT3200ACM's lan.
If you need specific help, though, please post following from each router:
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
ubus call system board
cat /etc/config/network
cat /etc/config/firewall
1 Like
Thanks Greatly
I will try this out and get back to you...
Just adding the system information...
Again thanks for your assistance.
For the Linksys -
root@Aivan:~# ubus call system board
{
"kernel": "5.15.137",
"hostname": "Aivan",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.2",
"revision": "r23630-842932a63d",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.2 r23630-842932a63d"
}
}root@Aivan:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd3c:d085:9bc1::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.207.66'
config device
option name 'wan'
option macaddr 'ea:9f:80:19:a3:b8'
config interface 'wan'
option device 'wan'
option proto 'dhcp'
option hostname '*'
config interface 'wan6'
option device 'wan'
option proto 'dhcpv6'
config route
option interface 'lan'
option target '192.168.101.0/24'
option gateway '192.168.207.110'
root@Aivan:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
list network 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
And for the "One" -
root@zagnut:~# ubus call system board
{
"kernel": "6.6.63",
"hostname": "zagnut",
"system": "ARMv8 Processor rev 4",
"model": "OpenWrt One",
"board_name": "openwrt,one",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "24.10.0-rc2",
"revision": "r28161-ea17e958b9",
"target": "mediatek/filogic",
"description": "OpenWrt 24.10.0-rc2 r28161-ea17e958b9",
"builddate": "1733226068"
}
}
root@zagnut:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd48:3b22:9794::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.101.35'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'static'
option ipaddr '192.168.101.45'
option netmask '255.255.255.0'
option gateway '192.168.101.35'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'static'
option device 'phy0-sta0'
option ipaddr '192.168.207.249'
option netmask '255.255.255.0'
option gateway '192.168.207.66'
list dns '192.168.207.66'
root@zagnut:~# cat /etc/config/firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
list network 'wan'
list network 'wwan'
option masq '1'
config forwarding
option src 'lan'
option dest 'wan'
Just one change on the upstream router:
Your gateway address here is wrong:
Based on the config of the downstream device, the wwan has an address of 192.168.207.249. Fix the address above.
Then, on the downstream device:
You have two interfaces with the same subnet. This causes a conflict and therefore breaks routing. Delete the wan interface:
Delete the device line below:
Remove the masquerading line:
Currently, the config will allow the downstream to reach the upstream, but not the other way around. If you want both sides to be able to initiate connections to the other, add this:
config forwarding
option src 'wan'
option dest 'lan'
Restart both devices and test.
Also, 24.10.0 was just released. You should upgrade both devices to the latest.
- Your WRT3200ACM is currently using 23.05.2. The latest update for 23.05 is 23.05.5. But you can (and probably should) upgrade to 24.10.0
- The OpenWrt One which is on 24.10.0-rc2. This is a 'release candidate' build and the stable 24.10.0 was released earlier this week.
Thank you
I implemented all changes, except for the last.
I went back to the original instructions and I believe that it recommended
combining the two firewall zones. I tried it out and it worked.
