[Solved] Routing help with wireless device connected in client

eisengrau · July 29, 2020, 10:02am

Hello,
First of all this is not really just an OpenWrt specific question, it's more like general TCP/IP knowledge (or the lack of). But it may be OpenWrt specific when it comes to routing and network bridges. First I'll try to paste in a rudimentary ASCII diagram that I created about a part of my setup:


                                                          +------------------+             +------------------+
                                                          |ap1 wifi radio1   |             |client device1    |
                                                      +---+br1: if1,radio1   +-+ +-+ +-+ +-+172.21.100.69     |
                                                      |   +------------------+             +------------------+
                                                      |
                             +--------------------+   |   +------------------+             +------------------+
                             |OpenWrt ap1         |   |   |ap1 wifi radio2   |             |client device2    |
                         +---+if1: 172.21.100.249 +---+---+br2: if1,radio2   +-+ +-+ +-+ +-+192.168.2.1       |
                         |   |if2: 192.168.2.249  |       +------------------+             +------------------+
                         |   +--------------------+
                         |    br66: if1,if2 (?)
                         |
+--------------------+   |
|OpenWrt main router |   |                                                                 +------------------+
|if1: 172.21.100.254 +---+-----------------------------------------------------------------+my client device3 |
|if2: ...            |                                                                     |172.21.100.66     |
|if3: ...            |                                                                     +------------------+
|...                 |
+--------------------+
static route1:
 iface if1
 target 192.168.2.0/24
 gw 172.21.100.249

What I'm trying to acomplish is the following: I would like to access the 192.168.2.0/24 subnet from my client (device3) which is by default on the 172.21.100.0/24 subnet. For this reason I have set up an additional static route on the main router, as described above. This has let me access and ping only ap 192.168.2.249 from all the clients within subnet 172.21.100.0/24, I am not able to reach 192.168.2.1.

Another important detail in my case above, some if the radios (or separate SSIDs), let's say radio1 on ap1 are configured in access point mode, however radio2 is connecting to device2 in client mode.

What I have tried is to bridge if1 and if2, since by default, once I connected with OpenWrt in client mode to device2, it created this new interface (if2), but not a network bridge with other interfaces. I always assumed that when a new 'radio' or SSID is created and a specific network (interface) is being chosen (in the case that there is only one or many LANs or VLANs), a network bridge is created between the selected LAN and radio.

I have tried adding a static route on the OpenWrt ap1, but it seems that it was incorrect, as it rendered the device unresponsive, so I had to power cycle it to gain access back.

I have also tried setting the static route created on the main router, on my client3 only, this way i was able to only access 192.168.2.249 again only from that device.

Tried to dedicate a whole different OpenWrt device just for this, with the same wireless config/routing settings but the results are same.

I also tried to directly bridge radio2 with if1 (172.21.100.249/24), first by setting a secondary static IP address for if1: 192.168.2.249/24 (and then by not creating the f2 interface altogether), but it caused the wireless client disconnect immediately, with error: " Interface 2 setup failed: BRIDGE_NOT_ALLOWED" in the syslog. Apparently the wifi radio in client mode can only operate as a new 'network interface'.

Should I try creating/using VLANs instead for this purpose? I have also never tried ad-hoc mode at the wireless radio settings. Would that work in my case? What is the correct way of specifying a static route that would work in my case?

Oh, and a second important thing. device2 is acting as an access point itself, it has it's own SSID/WPA2 which lets clients connect to it, however it is not a router. Also there is no possiblity to change it's IP adress and subnet, or set it up to act as a wireless client, hence my settings is OpenWrt.

Thank You,

trendy · July 29, 2020, 10:27am

The static route on main router is correct.
What is not correct is the br2 on ap1 containing if1,radio2. It should contain if2,radio2. br66 is wrong.
Furthermore firewall on both main router and ap1 must allow traffic to the way you desire.

eisengrau · July 29, 2020, 11:08am

Yes, the chart was misleading. I have removed the network bridge between radio2 and if2 and even if1 altogether. Now basically it is a single interface only with static IP 192.168.2.249.

There are many other network bridges on the device, but for other networks and radios are in access point mode only, but this is irrelevant here.

                                                          +------------------+             +------------------+
                                                          |ap1 wifi radio1   |             |client device1    |
                                                      +---+                  +-+ +-+ +-+ +-+172.21.100.69     |
                                                      |   +------------------+             +------------------+
                                                      |
                             +--------------------+   |
                             |OpenWrt ap1         |   |   +------------------+             +------------------+
                         +---+if1: 172.21.100.249 +---+   |ap1 wifi radio2   |             |client device2    |
                         |   |if2: 192.168.2.249  +-------+                  +-+ +-+ +-+ +-+192.168.2.1       |
                         |   +--------------------+       +------------------+             +------------------+
                         |
                         |
+--------------------+   |
|OpenWrt main router |   |                                                                 +------------------+
|if1: 172.21.100.254 +---+-----------------------------------------------------------------+my client device3 |
|if2: ...            |                                                                     |172.21.100.66     |
|if3: ...            |                                                                     +------------------+
|...                 |
+--------------------+
static route1:
 iface if1
 target 192.168.2.0/24
 gw 172.21.100.249

Also, ap1 device does not have a firewall enabled, it is a dumb access point in my case(or a network bridge between ethernet and wireless if you may). On the main router itself, my clients and the network 172.21.100.0/24 is within the 'LAN' firewall zone. Obviously, 192.168.2.1 is reachable from ap1.

There should be a route definition that is missing...

trendy · July 29, 2020, 12:31pm

This

and that

are contradicting.

If AP1 is dumbAP then all networks should terminate on the main router, that means to have an interface on both 172.21.100.0/24 and 192.168.2.0/24.

Since you have 2 interfaces on AP1, it is essentially routing.

mk24 · July 29, 2020, 1:03pm

Bridges are layer 2, they don't look at IP addresses. A bridge interface is the software equivalent of plugging cables into an unmanaged Ethernet switch. It requires no configuration but also doesn't segregate networks. So you don't want that here.

By default the Linux kernel would forward layer 3 packets between interfaces according to the routing table. But also by default the OpenWrt firewall will block such forwarding unless it is configured to allow it.

The simplest firewall config of ap1 to allow this would be to put if1 and if2 into the lan zone, and make sure the FORWARD default of lan is enabled.

eisengrau · July 29, 2020, 1:03pm

You are perfectly right about this. It is a device that has multiple subnets and interfaces configured, but it is currently unable to 'route', hence the issue. I was referring to the device as a 'dumb ap' since my other, main router, a Mikrotik device is the gateway throughout my network.

eisengrau · July 29, 2020, 1:07pm

Yes! In this case I would need to enable the firewall service on ap1, that might work.

However, it seems that I found another solution, that involves creating a 'relay bridge' interface, based on this tutorial: https://openwrt.org/docs/guide-user/network/wifi/relay_configuration

However, as I am not able to ping 192.168.2.1 from my client, I am not able to access any services, eg HTTP coming from that device. I have the disclaimer in the header, as it is not the best solution. I'll try @mk24's solution now.

eisengrau · July 29, 2020, 1:42pm

Yes, that was it! I had to create a new firewall zone and add both interfaces into it, and the magic option to enable masquerading. Of course I had to enable the firewall service, as it was disabled. and a good ol' reboot of the device.

Now the whole 192.168.2.0/24 subnet is reachable from the whole 172.21.100.0/24. Thank you for your tips and help!

trendy · July 29, 2020, 2:19pm

As long as you have routing in place, masquerade should not be needed.

eisengrau · July 29, 2020, 3:20pm

For some reason it didn't work for me without masquerading enabled, even if the routing rule was in place.

system · August 8, 2020, 3:29pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.