Special Type Of Wireless Client Bridge Update: Not So Special

UPDATE:Forum contributor jeff pointed me in the right direction with his explanation and as a result I finally ended up going through some more OpenWrt documentation. Therein I found the exact networking scenario I was seeking.

What I am trying to do here is known as a "Routed Client" using the Routed method rather than the Masquerade method.

This network scenario and how it is implemented is detailed on this document --

So, while have as yet to get this scenario up and running, it is the solution I seek.

Thank you jeff.

(Old Post)
This an extension of and correction to "Pseudo Client Bridge No Can Do" wherein I did not properly state the task at hand. Pseudo Client Bridge No Can Do

What I want to do with OpenWrt on a WRT1900ACS V2 router is easy to implement using DD-WRT, but I can find no similar example using OpenWrt. I say special only because, evidently, it is not the usual thing folks do using OpenWrt although this implementation is SOP using DD-WRT.
NETWORK SCENARIO (easily implemented using DD-WRT)

There are two independent local area networks connected by radio -- 2NET and 1NET.
** 1NET has a connection to the internet.
** CB1 is the Client Bridge that connects 2NET to 1NET via radio.
** The wired side of CB1 is a LAN switch and is part of 2NET
** No other wireless connections are possible to CB1.
** The only wireless connections available on 2NET are made via AP1 which is wired to CB1

NOTE: This is NOT the usual relay scenario. Perhaps to best understand this scenario see the ADDENDUM at the bottom of the page
Wireless Access Point AP1
(wired to)
Client Bridge CB1 LAN/WAN is a static IP wireless client of------------------
Using DD-WRT, CB1 is thus configured (pertinent details only) --

CB1 WAN SIDE (wireless side)
WAN Connection Type---Static IP
WAN IP Address-----------

CB1 LAN SIDE (wired side)
Local IP Address-----------
DHCP (local to 1NET) is turned on and serves a block starting at 192.168.51

The 5Ghz radio is disabled and the 2.4GHz radio is enabled as a Client of 1NET.
The radio side (WAN side) of 2NET is part of 1NET and so has the same SSID.
TO REITERATE: The CB1 radio is a dedicated point-to-point channel to 1NET. It does NOT serve as a 1NET relay. No other device can connect to the CB1 radio.

RESULT: The two LANs are COMPLETELY independent. The only thing shared is that 2NET is allowed access to the 1NET's Internet connection, and that is all.

This is what I want to do with OpenWrt -- make CB1. To repeat, it is very easy to do with DD-WRT but I cannot get is to work on OpenWrt. I do not believe it is impossible or even difficult. I must be missing something obvious.

Any recipes using LuCI to implement this CB1 scenario?

Since the wired Ethernet WAN port is unused on CB1 I would like to assign it to the LAN switch. This is easily done using DD-WRT by simply checking the Assign WAN Port to Switch check box. How would this be done on OpenWrt if it can be done?

I would rather not be forced to revert to DD-WRT as the only way to implement this netork scenario.

If I can pass this basic make-or-break hurdle, I'm all in for OpenWrt. If not, then, well, its back to DD-WRT.
Again, please note that this scenario is NOT the usual OpenWrt relay scenario.

Borrowing from the Wifi Extender or Repeater or Bridge Configuration Map --

Note the IP addresses of the two Client Hosts in the left hand cloud.

In the scenario I want to implement the WIRELESS side of the Client Bridge is DEDICATED TO THE 1NET CONNECTION, no wireless Client Host can connect to it. So just cross out the two Client Hosts in the left hand cloud.

The LAN port (on this map is wired directly to the AP1 ( access point which provides wireless connections on the 2NET side.

I am quite familiar with that, but it is not the scenario I seek to implement. Thanks anyway.

Oh Ok,

From memory, you need to goto Luci->interfaces->wireless and select SCAN in the wireless overview section and the JOIN NETWORK the appropriate network.

I don't remember the rest of the details but if you don't work it out let me know I can get a spare router and try it out.

Thanks, done that. There is some other problem, and it is not the firewall.

At least as I understand it, there is no "bridge" involved here, in the technical sense that a bridge generally refers to a Layer 2 construct. If you agree after reading what follows, you may want to edit the title of this thread.

From what I now understand from your description of your goals )and please let us know if this is not correct):

Using Class A and Class B networks for clarity

There are two routers, RouterA and RouterA. RouterA is connected to the public Internet with a globally routable IP address in its "WAN" interface.

RouterA has NetworkA attached to it,, with an assigned IP of RouterA supplies DHCP and other services to the hosts on NetworkA.

RouterB has a NetworkB attached to it,, with an assigned IP of Router B supplies DHCP and other services to the hosts on NetworkB.

RouterB has its WAN interface connected to the network with an assigned IP of
It so happens that this is a wireless connection, but that is something of a red herring.

Hosts on NetworkA should be able originate outbound connections to hosts in the public Internet. The should not be able to communicate with hosts on NetworkB.

Hosts on NetworkB should be able originate outbound connections to hosts in the public Internet. The should not be able to communicate with hosts on NetworkA.

So, to accomplish this the routing needs to look something like:


  • default via WAN to (assigned gateway) -- "auto" with DHCP assignment to WAN
  • via LAN link local -- "auto" by virtue of the interface configuration
  • via LAN to -- manual, static route


  • default via WAN to -- manual, static route
  • via LAN link local -- "auto" by virtue of the interface configuration

With this, NetworkA <-NAT-> public Internet should work, as would NetworkB <-NAT-> public Internet (with "standard" NAT/firewall rules). Depending on the configuration you start with, you might need to replicate the forwarding rule for NetworkB (on RouterA).

Now, prevent NetworkA <-> NetworkB communication, being careful not to break the RouterA <-> RouterB link. Order here is important! On RouterA

  • Allow to out via LAN
  • Allow to in via LAN
  • Deny NetworkA to NetworkB
  • Deny NetworkB to NetworkA

(Personally, I'd set up the link between the two routers with IP addresses that don't fall in NetworkA or NetworkB to make things clearer and more robust.)


Thanks for taking the time. It helped. No success yet but you headed me in the right direction and I appreciate it.

After trying to fake it following your outline (I really don't know what I am doing here, my depth of formal routing knowledge is practically nil) I went back through some OpenWrt documentation and found the scenario that fits exactly what you describe and what I am looking for with one exception -- Hosts on both NetworkA and NetworkB can see each other. This will be resolved, of course, with the firewall rules you make note of in your post.

I have saved your notes locally and will be taking down this post in the near future as it may be confusing and my bit is erroneous.

The relevant OpenWrt documentation is found on the Routed Client archive --

The disclaimer at the top suggests there is newer documentation, but I have not been able to find it as of yet.

So, thanks so much!

I find it helpful to think about the routing one step at a time.

Standard rules for "all" nodes:

  • addressed to me, I'll take it
  • addressed to something I know is directly connected to me, put it out on that link
  • something I don't know about, send it "care of" my default gateway

The one place with what I think your topology needs a hint is when a packet for NetworkB shows up on RouterA. Without something else, it would just send it to the default gateway, probably your ISP. So you need to tell RouterA that NetworkB exists somewhere behind -- it then sends the packet to, which "knows" about NetworkB and it delivers it to the destination using its "addressed to something I know is directly connected to me, put it out on that link" rule.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.