[SOLVED] Unable to setup WLAN guest network with OpenWrt in dumb AP and LAN switch mode via LuCI due to broken routing

Krles · December 2, 2018, 12:09pm

Hi,

I am struggling with what should be a pretty basic setup:

LAN server and router 10.11.13.1/24 (with a static route for network 10.11.17.0/24 to gateway 10.11.13.10)
OpenWrt AP 10.11.13.10 with an intended functionality of a "dumb" AP/switch on the LAN and extra functionality of a separate Guest AP network (hence a being gateway for 10.11.17.0/24).

OpenWrt is setup so that lan interface bridges all physical ports (marked as LAN and WAN) and also wlan "AP1". This part works fine, all clients (wireless and LAN) connected to OpenWRT get IP address from the LAN server/router and can talk to LAN and to the internet.

Now, I have created a parallel WLAN AP "Guest", assigned it to the network infernet, enabled DHCP server on this interface for 10.11.17.1/24 subnet. In firewall, I put all to "accept" for testing purposes and set up zone forwarding from infernet to lan and vice versa.

(Once well tested, the plan is to use firewall to restrict access from "infernet" to "lan" and allow only public internet.)

When a client connects to the guest WLAN Guest, it gets an IP address from pool 10.11.17.0/24, but that's all - the client cannot ping 10.11.17.1 and also nothing from LAN or internet. The client is also not pingable from openWRT (ssh console).

OpenWrt 18.06.1, device Asus RT-N56U.

P.S. The trouble seems to be a broken routing table - see at the bottom.

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:01.0/0000:01:00.0'
        option channel '7'
        option legacy_rates '1'
        option country 'CZ'
        option txpower '20'
        option htmode 'HT40'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option key '************'
        option encryption 'psk2'
        option ssid 'AP1'
        option network 'lan'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'platform/10180000.wmac'
        option htmode 'HT20'
        option country 'CZ'
        option legacy_rates '1'
        option txpower '23'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'psk2'
        option key '*********'
        option ssid 'AP5G'
        option disabled '1'
        option network 'lan'

config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'Guest'
        option key '*********'
        option network 'infernet'
        option encryption 'psk2'

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd38:a2ae:1569::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'dhcp'
        option hostname 'rt-n56u'
        option ifname 'eth0.1 eth0.2'

config device 'lan_dev'
        option name 'eth0.1'
        option macaddr '0a:60:6e:e9:3c:89'

config device 'wan_dev'
        option name 'eth0.2'
        option macaddr '08:60:6e:e9:3c:88'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option enable_vlan4k '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0 1 2 3 4 8t'

config interface 'infernet'
        option proto 'static'
        option ipaddr '10.11.17.1'
        option netmask '255.255.255.0'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option drop_invalid '1'
        option forward 'ACCEPT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'lan'
        option forward 'ACCEPT'

config include
        option path '/etc/firewall.user'

config zone
        option name 'infernet'
        option output 'ACCEPT'
        option input 'ACCEPT'
        option network 'infernet'
        option forward 'ACCEPT'

config rule
        option target 'ACCEPT'
        option src 'infernet'
        option name 'Allow_INFERNET_DHCP'
        option proto 'udp'
        option dest_port '67-68'
        option enabled '0'

config rule
        option target 'ACCEPT'
        option src 'infernet'
        option name 'Allow_INFERNET_DNS'
        option dest_port '53'
        option enabled '0'

config forwarding
        option dest 'infernet'
        option src 'lan'

config forwarding
        option dest 'lan'
        option src 'infernet'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option rebind_protection '0'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv6 'server'
        option ra 'server'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'infernet'
        option start '100'
        option leasetime '12h'
        option limit '150'
        option interface 'infernet'
        option dhcpv6 'server'
        option ra 'server'
        option ra_management '1'

What draw my attention is the routing table:

root@OpenWrt:~# ip route

default via 10.11.17.1 dev wlan0-1 
10.11.13.0/24 dev br-lan scope link  src 10.11.13.10 
10.11.17.0/24 via 10.11.13.10 dev br-lan  src 10.11.13.10 
10.11.17.0/24 dev wlan0-1 scope link  src 10.11.17.1

I would expect the default via 10.11.13.1 dev br-lan. Also the two routes to 10.11.17.0/24 looked weird.
Once updated (manually on console):

root@OpenWrt:~# ip route
default via 10.11.13.1 dev br-lan 
10.11.13.0/24 dev br-lan scope link  src 10.11.13.10 
10.11.17.0/24 dev wlan0-1 scope link  src 10.11.17.1

all started to work as expected.

Is there a way how to achieve this via LuCI? (If not, I have to check how to force the above working routes manually so that they are set up after reboot.)

lleachii · December 2, 2018, 8:25pm

I see a major problem.

By theory, or by accident, you have bridged WAN and LAN together.
At no point is a Static IP or DHCP configured for WAN
Due to the bridge, you're issuing DHCP to WAN, please fix that, or your ISP may be unhappy.

Yes!

On LuCI, browse to Network > Interfaces

Screenshot%20from%202018-12-02%2015-29-31

Krles · December 3, 2018, 6:19pm

I have bridged LAN and WAN physical ports on purpose, the openWRT is a dumb AP in LAN and it is not connected to ISP. Hence all physical ports should provide 'switch' functionality for existing LAN.

But anyway, your remark is valid - the OpenWrt lan network interface does not have a static address, it asks the "server" (which is also the LAN network router) for one (statically assigned 10.11.13.10).

Probably as a result of that setting, the options of DHCP server for LAN interface are not shown in the LuCI web interface, but as you have noticed, it the DHCP server remains on.
02%20LAN%20network%20-%20no%20DHCP%20server%20info
Anyway, I will set option ignore '1' directly to the dhcp config file to the lan section.

Krles · December 3, 2018, 6:36pm

I did search a bit more on the routing tables in OpenWRT and it seems this cannot actually be managed via LuCI.

What I did, is that I set option metric '10' for the lan interface directly in the config/network file:

config interface 'lan'
        option type 'bridge'
        option proto 'dhcp'
        option hostname 'rt-n56u'
        option ifname 'eth0.1 eth0.2'
        option metric '10'

and also option defaultroute '0' to the Guest network infernet:

config interface 'infernet'
        option proto 'static'
        option ipaddr '10.11.17.1'
        option netmask '255.255.255.0'
        option defaultroute '0'

Which seems to result in a working routing table after reboot:

root@OpenWrt:~# ip route
default via 10.11.13.1 dev br-lan  src 10.11.13.10  metric 10 
10.11.13.0/24 dev br-lan scope link  metric 10 
10.11.17.0/24 dev wlan0-1 scope link  src 10.11.17.1 
10.11.17.0/24 via 10.11.13.10 dev br-lan  src 10.11.13.10  metric 10

After all, I have not found a way how to set a default route in LuCI.

lleachii · December 3, 2018, 6:55pm

In /etc/config/network:

config route                                      
	option interface 'xxx'
	option target '0.0.0.0'
	option netmask '0.0.0.0'
	option gateway 'xxx.xxx.xxx.xxx'

Krles · December 4, 2018, 9:48pm

Reopening for additional comment.

I had a problem with DCHP server @ 10.11.13.1 (server/router of LAN) sending a static route "10.11.17.0/24 via 10.11.13.10" to all its clients. (Which is a wanted behaviour on LAN.)

One of the clients is also the LAN interface of OpenWRT device (dumb AP) - which is the actual gateway to the guest network 10.11.17.0/24. Here, such a route breaks things

The routing table on OpenWrt had contradicting routes for 10.11.17.0/24 network:

root@OpenWrt:~# ip route
default via 10.11.13.1 dev br-lan 
10.11.13.0/24 dev br-lan scope link  src 10.11.13.10 
10.11.17.0/24 via 10.11.13.10 dev br-lan  src 10.11.13.10 
10.11.17.0/24 dev wlan0-1 scope link  src 10.11.17.1

No other setting than creating the second static route on OpenWrt device with the gateway empty for target 10.11.17.0/24 (infernet is the guest network) resolved the problem:

After reboot, the routing table looked better:

root@OpenWrt:~# ip route
default via 10.11.13.1 dev br-lan  src 10.11.13.10 
10.11.13.0/24 dev br-lan scope link  src 10.11.13.10 
10.11.17.0/24 dev wlan0-1 scope link 
10.11.17.0/24 dev wlan0-1 scope link  src 10.11.17.1

Not sure if it is the correct resolution, however the second static route seems to override the route received from "upstream" DHCP server.

(I also tried to put there the gateway 10.11.17.1 - but that one did not delete the upstream broken route.)

I wonder if it is possible to set the lan interface options so that the routes sent by "upstream" DHCP server are ignored:

I tried the obvious: to uncheck the "Use default gateway" but that one did not do the trick - it affected only the default one, not the static one.

lleachii · December 4, 2018, 10:16pm

Usually, Local Networks don't have a gateway, you're usually sending traffic to another interface (i.e. WAN).

system · December 14, 2018, 10:16pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.