I am trying to setup a subnet with an OpenWRT router (subnet router) behind another OpenWRT router (primary router). The connection between the two is through wireless. It is as on the picture from the Routed Client wiki.
I also looked at another OpenWRT wiki, which describes the same through Luci. It requires the relayd package. I would prefer to do it 'directly' rather than through another package, also because that helps me to better understand what I am doing.
The subnet router has an usb wifi dongle and one ethernet port (it is an old PC). I defined the interfaces to
wlan, connected as client to the primary router
lan for the ethernet plug
In the firewall file, 'wan' was replaced by 'wlan' accordingly.
The initial setup was without any changes to the primary router. The 'wlan' interface was set to masquerade. A PC in the subnet, i.e. plugged into the subnet router, could then reach the internet.
I would like to disable masquerading.
Step 1 on the subnet router:
My /etc/config/network
config interface 'lan'
option ifname 'eth0'
option delegate '0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
list dns '192.168.33.1'
config interface 'wlan'
option ifname 'wlan0'
option delegate '0'
option proto 'static'
option ipaddr '192.168.1.10'
option gateway '192.168.1.1'
list dns '192.168.33.1'
option netmask '255.255.255.0
Unfortunately, this does not work. PCs in the subnet cannot ping 192.168.1.10 and consequently have no internet access. I can't figure out what is wrong. All I want is internet access for the subnet, no route from LAN to sub-LAN required.
In that case, would it be simpler to leave masquerading enabled? If there's no requirement for anything in 192.168.1.0/24 to talk to anything in 192.168.2.0/24, what benefit does turning off masquerading give?
Yes, it is from the ethernet-plugged client attached to the subnet router. The subnet router itself can ping anywhere, including to the 192.168.1.X, and the internet to which it is connected as wireless client (see image above, same setup)
Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have
ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user; \
ip -4 addr ; ip -4 ro li tab all ; ip -4 ru; \
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
Take that out of /etc/config/network. Wifi interfaces are attached to a network with an option network in their wifi-iface block in /etc/config/wireless.
Generally you would set dns to the upstream router-- 192.168.1.1-- in the wan section (what you are calling wlan, it would make more sense to name it wan). Don't set a dns in the lan section.
Though if you can't ping by numeric IP, DNS is not the problem. Start by logging into the 192.168.2.1 router and confirm you can ping the 192.168.1.1 router. This doesn't require any routing since the ping will go out on the wan interface which has a 192.168.1.0 IP.
The route command is a good way to see if basic routes are in place.
Reverted that, 'wlan' is now called 'wan'. Includes removal of ifname line in the network configuration file.
Here is the output of the series of commands @trendy posted:
ls -l /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/* ; head -n -0 /etc/resolv.* /tmp/resolv.* /tmp/resolv.*/*
{
"kernel": "4.14.221",
"hostname": "OpenWrt",
"system": "Intel(R) Celeron(R) CPU G1610 @ 2.60GHz",
"model": "Gigabyte Technology Co., Ltd. To be filled by O.E.M.",
"board_name": "gigabyte-technology-co-ltd-to-be-filled-by-o-e-m",
"release": {
"distribution": "OpenWrt",
"version": "19.07.7",
"revision": "r11306-c4a6851c72",
"target": "x86/64",
"description": "OpenWrt 19.07.7 r11306-c4a6851c72"
}
}
package network
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fda9:2098:b869::/48'
config interface 'lan'
option ifname 'eth0'
option delegate '0'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.2.1'
config interface 'wan'
option delegate '0'
option proto 'static'
option ipaddr '192.168.1.10'
option gateway '192.168.1.1'
list dns '192.168.1.1'
option netmask '255.255.255.0'
package wireless
config wifi-device 'radio0'
option type 'mac80211'
option channel '11'
option hwmode '11g'
option path 'pci0000:00/0000:00:1d.0/usb2/2-1/2-1.5/2-1.5:1.0'
option htmode 'HT20'
option country 'FR'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'sta'
option encryption 'psk2'
option key 'secret-password'
option network 'wan'
option ssid 'wlan_primary-router'
package dhcp
config dnsmasq
option domainneeded '1'
option boguspriv '1'
option filterwin2k '0'
option localise_queries '1'
option rebind_protection '1'
option rebind_localhost '1'
option local '/lan/'
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
option resolvfile '/tmp/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
config dhcp 'lan'
option interface 'lan'
option leasetime '12h'
option start '2'
option limit '8'
config dhcp 'wan'
option interface 'wan'
option ignore '1'
config odhcpd 'odhcpd'
option maindhcp '0'
option leasefile '/tmp/hosts/odhcpd'
option leasetrigger '/usr/sbin/odhcpd-update'
option loglevel '4'
package firewall
config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '0'
option mtu_fix '1'
list network 'wan'
config forwarding
option src 'wan'
option dest 'lan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config include
option path '/etc/firewall.user'
# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.
# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
inet 192.168.2.1/24 brd 192.168.2.255 scope global eth0
valid_lft forever preferred_lft forever
9: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
inet 192.168.1.10/24 brd 192.168.1.255 scope global wlan0
valid_lft forever preferred_lft forever
default via 192.168.1.1 dev wlan0 proto static
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.10
192.168.2.0/24 dev eth0 proto kernel scope link src 192.168.2.1
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.1.0 dev wlan0 table local proto kernel scope link src 192.168.1.10
local 192.168.1.10 dev wlan0 table local proto kernel scope host src 192.168.1.10
broadcast 192.168.1.255 dev wlan0 table local proto kernel scope link src 192.168.1.10
broadcast 192.168.2.0 dev eth0 table local proto kernel scope link src 192.168.2.1
local 192.168.2.1 dev eth0 table local proto kernel scope host src 192.168.2.1
broadcast 192.168.2.255 dev eth0 table local proto kernel scope link src 192.168.2.1
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
ls: /tmp/resolv.*/*: No such file or directory
lrwxrwxrwx 1 root root 16 Feb 15 15:22 /etc/resolv.conf -> /tmp/resolv.conf
-rw-r--r-- 1 root root 32 Mar 7 11:50 /tmp/resolv.conf
-rw-r--r-- 1 root root 40 Mar 7 11:49 /tmp/resolv.conf.auto
==> /etc/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf <==
search lan
nameserver 127.0.0.1
==> /tmp/resolv.conf.auto <==
# Interface wan
nameserver 192.168.1.1
head: /tmp/resolv.*/*: No such file or directory
I changed that accordingly, resulting in no DNS resolution. Put the DNS server-->192.168.1.1 into the LAN section and deleted it in the WAN section: DNS resolutions work. This may well be related to the main trouble, i.e. since the routing from 192.168.2.X to 192.168.1.X does not work yet, so would not DNS resolution.
The route on the primary router was: target: 192.168.2.1/24 gateway: 192.168.1.10
With this, the primary router could ping 192.168.1.10 but not 192.168.2.1
I then changed it to target: 192.168.2.0/24 gateway: 192.168.1.10
Now, both can be pinged. From the primary router. Lets check the opposite way.
Subnet router to primary router: yep
Subnet client to primary router: yeah
Subnet client to internet: working
So for those who might run into similar troubles, the trick with the static route is to direct it to the subnet network rather than the IP address of the client router.
