[Solved] Bridge wwan to lan

Hi,

I have OpenWrt configured on my router to bridge wan and lan - works fine, and I can access the GUI (web interface) from the wan side, just like I want (it's not a security issue, this is all behind my network gateway, internal to my home lan).

But - I can't seem to bridge wwan to that same bridge. I can assign wwan to the same firewall zone as wan, and that's fine, but I want to bridge them => access the GUI from wwan. Is there an easy way to do this?

Thanks!

This is not directly possible because the 802.11 standards do not account for a wifi > wired bridge (only wired > wifi).

You can use an upstream wifi network and route to a downstream network (which will necessarily be a different subnet), but bridging (same subnet) is not possible.

That said, there are two ways to do this:

  • if both devices (main router/AP and wireless-bridge device) run OpenWrt, you can use WDS -- this works best if both devices use the same wifi chipset.
  • If the upstream device is not running OpenWrt, you'll use relayd to achieve this goal.
2 Likes

Thanks for the info! I have to ask (sorry :laughing:),

Why not? Just curious. They are both network interfaces, on the same subnet (wwan and wan I mean) - just slightly confused. I can access the GUI on wan, because it's bridged to lan, but not wwan.

Makes sense! But I can also just open the firewall (Traffic Rule), to allow http (port 80) on wwan, agreed? Not a big deal, again was just curious - and figured just bridging them would make it simple.

Thanks!!

It has to do with the way that MAC addresses are implemented in the 802.11 standards.

I'm not exactly sure what you mean here. But accessing the router/AP itself is not the issue, it's the 'downlink' (ethernet and/or wifi) that doesn't work unless you use an alternate method (i.e. WDS/4addr, relayd, or even 802.11s mesh).

If you're talking about accessing the device itself, sure. In fact, if your upstream network is fully trusted, you can set the wan zone input rule to accept.

It's possible we're getting our wires crossed bit, though, and I may be answering things that aren't directly related to your question/issue. Can you elaborate on what it is that you are hoping to achieve (end goal)?

1 Like

No worries! And likely me wording it poorly :frowning_face:.

I want to take an old AP / router I have around, use it as a NUT UPS monitor ... but where it will be, there is only Wi-Fi, no hard wire => so upstream (from the router) is wireless, but still want to be able to connect to the OpenWrt web UI - thinking the best way is to allow port 80 through, on the wan / wwan side, agreed?

Thanks!

Ah... that helps! Thank you. I very much misunderstood what you were trying to do (and this was likely my fault -- skimming too quickly)

I did exactly this! Except I did mine with ethernet.

Actually, because you aren't trying to bridge wifi > ethernet or wifi > wifi, you don't need to make this a wwan at all -- it can be a wlan client. This would make sense because you said that your upstream network is fully trusted.

I can help you make that change...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall
1 Like

Awesome! Ya, wired would be nice - just not available there :slight_smile:

Yep, I have it set up as a client ... but don't need wwan then still?

Actually, I have the router busted open, header soldered in, serial port available :rofl:. So even easier!

# ubus call system board
cat /etc/{
        "kernel": "5.15.137",
        "hostname": "wap-garage",
        "system": "Broadcom BCM4716",
        "model": "Unknown Board",
        "board_name": "0xF52C:01",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05.2",
                "revision": "r23630-842932a63d",
                "target": "bcm47xx/mips74k",
                "description": "OpenWrt 23.05.2 r23630-842932a63d"
        }
}
# cat /etc/config/network
config interface 'loopback'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'
        option device 'lo'

config globals 'globals'

config interface 'lan'
        option proto 'dhcp'
        option device 'br-lan'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.2'
        option type 'bridge'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 8t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '4 8t'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'
        list ports 'eth0.2'

config interface 'wwan'
        option proto 'dhcp'
        option device 'phy0-sta0'
# cat /etc/config/wireless
config wifi-device 'radio0'
        option type 'mac80211'
        option path 'bcm47xx_soc/bcma0:4/ehci-platform.0/usb1/1-1/1-1.2/1-1.2:1.0'
        option channel 'auto'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option country 'US'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'sta'
        option network 'wwan lan wan'
        option ssid 'XXXXX'
        option encryption 'sae'
        option key 'XXXXX'
# cat /etc/config/dhcp
config dnsmasq
        option localise_queries '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option rebind_protection '0'
        option domain 'XXX.home'
        option expandhosts '1'
        option localservice '0'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option domainneeded '1'
        option authoritative '1'

config dhcp 'lan'
        option interface 'lan'
        option ignore '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
# cat /etc/config/firewall
config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'
        list network 'wwan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'

config rule
        option name 'Allow-LuCI-on-Wan'
        list proto 'tcp'
        option src 'wan'
        option dest_port '80'
        option target 'ACCEPT'

Thanks!!

Delete these:

Now, remove the device br-lan from the lan interface:

remove wwan and wan from the wifi network (leaving only lan):

Then reboot the device and it should get an address via DHCP from your network on its lan... you'll have full access to administer the device since the link is with the lan (and not the wan which would be firewalled).

1 Like

Brilliant! Thanks so much. And that makes sense ... assign wireless to lan (as a client), it doesn't need to be wwan. I couldn't see the forest for the trees :laughing:. That works perfectly, appreciate it!

Just one last question - if I were to connect a device to one of the lan switch ports then - disable DHCP on the lan interface, so then it is sent upstream?

Thanks again!

FYE, side note - but I still have some VLAN settings in place. I can't remember if they were there by default or not, so I'm not messing with them. Just in case :rofl: .

This won't work at all. In other words, the ethernet ports will probably appear dead. This is the context I was talking about with the wifi > wired bridge that is not (directly) possible. You'd need to implement something like WDS or relayd.

We can clean them up if you want, but no pressing need, IMO.

If your problem is solved, please consider marking this topic as [Solved]. See How to mark a topic as [Solved] for a short how-to.
Thanks! :slight_smile:

Makes sense, no biggie - just curious.

Actually, they may be right :slight_smile:. Based on,

  1. OpenWrt (default) VLAN config
  2. The source code target/linux/bcm47xx/base-files/etc/board.d/01_network, this shows,
        local vlan0ports="$(nvram get vlan0ports)"
        local vlan1ports="$(nvram get vlan1ports)"
        local vlan2ports="$(nvram get vlan2ports)"

and,

# nvram show | grep vlan | grep ports
vlan2ports=4 8u
vlan1ports=0 1 2 3 8*

I assume u means untagged, not sure what * means ... LOL.

Will right now, thanks!!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.