WDS requires an unused SSID?

Here are the up to date configs:

MAIN wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Foobar'
	option encryption 'psk2'
	option key 'password'
	option network 'lan'

MAIN network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '****:****:****::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'ethernet1'
	list ports 'ethernet2'
	list ports 'ethernet3'
	list ports 'ethernet4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'internet'
	option macaddr '**:**:**:**:**:**'

config interface 'wan'
	option device 'internet'
	option proto 'dhcp'

config interface 'wan6'
	option device 'internet'
	option proto 'dhcpv6'

CLIENT wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'sta'
	option network 'wwan'
	option ssid 'Foobar'
	option encryption 'psk2'
	option key 'password'

CLIENT network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '****:****:****::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'ethernet1'
	list ports 'ethernet2'
	list ports 'ethernet3'
	list ports 'ethernet4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'

config device
	option name 'internet'
	option macaddr '**:**:**:**:**:**'

config interface 'wan'
	option device 'internet'
	option proto 'dhcp'

config interface 'wan6'
	option device 'internet'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'

CLIENT firewall

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

You need to add

option wds '1'

at both ends of interconnect before starting AP on the other device.

Thanks. I'm no longer using WDS mode, however. I had misunderstood what WDS was for and so I am now only using Client mode.

The issue now is just that devices on the 192.168.1.0/24 subnet can not send traffic to devices on the 192.168.2.0/24 subnet. I assume this is a layer3 firewall issue.

1 Like

See here:

It's normal firewall behavior on the WAN firewall zone.

Did you:

  • allow input (or forwarding) from client WAN in client device
  • turn off masquerade on client WAN
  • add a static route for 192.168.2.0/24 network on the main router?

You'll need to explain all the functionality you desire if you need more than basic upstream WWAN connectivity for Computers 1 and 2.

1 Like

On CLIENT:

  • I changed both Input and Forward to accept on the wan zone.
  • I turned off masquerading on the wan zone. I think this broke COMPUTER's ability to access the internet or the 192.168.1.1 LuCI page.

On MAIN:

  • I added a static route, but I'm not sure if I did it correctly.
Network -> Routing
Static IPv4 Routes
Click [Add]
Interface = lan
Route type = unicast
Target = 192.168.2.0/24
Gateway = 192.168.2.1

Status

Doing the 3 items above did not seem to fix the issue.

Prior to the 3 steps above:

  • COMPUTER was able to ping MAIN, LAPTOP, CLIENT, and google.
  • LAPTOP was able to ping MAIN and google. It could not ping CLIENT or COMPUTER.

After the 3 steps above:

  • COMPUTER can no longer ping LAPTOP, MAIN, or google. This seems to be due to disabling masquerading.

I think I just need basic connectivity - all of the devices (the LAPTOPs, COMPUTERs, and 2 routers) to all be able to send traffic to each other and access the internet. It seems like the main issue is just that traffic from 192.168.1.0/24 -> 192.168.2.0/24 is being blocked, even though the reverse (192.168.2.0/24 -> 192.168.1.0/24) is not. I think you're right about the CLIENT wan blocking traffic, but I might just be incorrectly changing the settings you mentioned.

A few thoughts:

  1. Are you sure about disabling masquerading on the CLIENT wan zone?
  2. Does the CLIENT wan zone need to have the lan zone in it's Forwardings list?
  3. Did I set up the static route correctly?

Yes, as this is required for the devices on the client router to use the 192.168.2.0 IPs as SRC and not the IP of WWAN.

Yes. Thanks for catching that.

Disregard my comment about changing the client WAN forwarding - I was incorrect. The WAN forward setting doesn't apply in this use case (that setting is for interfaces in the zone).

No, you didn't.

  • the gateway for 192.168.2.0/24 needs to be the IP obtained by the WWAN interfece of the client router. It'll be a 192.168.1.x IP

:bulb: (Alternatively, you could assign WWAN to the client LAN firewall zone instead and remove it from WAN zone, as that zone already allows forwarding by default - and hence traffic between WWAN and LAN would be allowed)

1 Like

Thanks! I think everything is working perfectly now!

To fix the Static Route:

  1. I set up a static DHCP address on the 192.168.1.0/24 subnet (i.e. 192.168.1.2).
  2. I used that address (192.168.1.2) as the Static Route Gateway instead of the incorrect 192.168.2.1.

Good idea. If I don't do that, I think I might still need the CLIENT wan Input to be set to accept in order to access CLIENT from LAPTOP. Either way, as long as I'm not plugging anything (like a modem) into the physical wan port, I assume there's no security issue here.

(Also, I noticed was that these firewall and static route settings seem to be wrong or missing on the Connect to client Wi-Fi network documentation page for both LuCI and uci. The guide was otherwise pretty good.)

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.