I am running OpenWrt 21.02.1, r16325-88151b8303 and would like to use it as a simple bridged router.
I noticed scp from connected client's causes spikes in load that degrade the quality of other client's WAN connection.
So I tried disabling the firewall using the dump ap guide steps.
When I execute those commands, all client's lose WAN access. They retain their DHCP leases.
What commands should I execute to troubleshoot this problem? Ideally I would like to determine the cause.
Thanks!
If you turn off the firewall, you also turn off masquerading on the wan zone. This is necessary to share your WAN's IP address with multiple hosts on your network. So aside from protecting your network, you need the firewall to enable your devices to be able to use the internet (at least when you are using a single IPv4 address as is issued from most ISPs).
Can you elaborate a bit here. What is your proposed network topology? A diagram may help.
Ah, I see. I initiated a change that resulted in the correct behavior. I simply have a misunderstanding 
.
Certainly!
The clients use wired connections to one of the 4 ethernet ports on the openwrt box.
The openwrt box uses DNS forwarding and its own DHCP server (just got something working 
The openwrt connects to the pfsense box using the WAN port on the openwrt router.
The pfsense router is connected to my modem and also hosts the primary DNS server I am using.
Do you want the OpenWrt device to do anything specific, or is it acting purely as a switch and dumb AP?
You've followed the dumb AP guide... the one thing you might not have done, though, was conned the pfSense router to one of the LAN ports of the OpenWrt device.
If you want to physically connect via the WAN port, it is usually pretty simple to configure the WAN port to be "just another port" on the system. If that is what you want...
Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
Remember to redact passwords, MAC addresses and any public IP addresses you may have:
cat /etc/config/network
I currently want openwrt to be a switch and dumb AP. Longer term I may want to migrate from pfsense to use bridged openwrt boxes but that is a different story!
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fd0b:633d:6f97::/48'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0.1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config device
option name 'eth0.2'
option macaddr 'c4:6e:1f:a6:b0:83'
config interface 'wan'
option device 'eth0.2'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '1 0t'
This is a tplink tl-wdr4300-v1 FWIW.
Should be simple. Take the above and make it like this:
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 2 3 4 5 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '0t'
grand, thank you! I'll give this a try later.
For my understanding, what exactly does the change mean?
The router has a 5-port hardware switch (that is VLAN aware). That switch connects to the CPU on the CPU's eth0 interface.
Logical switch port 1 (as shown in the config file) corresponds to the port that is physically labeled WAN on your device. That logical port was assigned to VLAN 2, which then presents to the CPU as eth0.2 which is then assigned to the wan network interface. Your LAN consists of 4 switch ports (logical 2-5) on VLAN1 (eth0.1 > br-lan > lan network interface).
So what we did was change logical port from being a member of VLAN 2 (wan interface) to now being a member of VLAN 1 (lan interface).
Just to clarify, a dumb AP is a bridged box. It contains only one network (the LAN) and all of its ports wired and wifi are bridged together.
All DNS requests, DHCP requests, etc. will be passed to the main router (pfsense) for it to handle, without any local processing in the dumb AP. Wired to wired transfers will be handled by hardware switching since they are all in the same switch VLAN.
The only reason a dumb AP holds an IP address at all is for administrative logins and access to the Internet such as to set the clock using NTP. The users will not interact with layer 3 services on the dumb AP at all.
This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.