WiFi client as gateway to ethernet LAN

Hi guys,

I'm trying to finalize the following setup, but I'm unable to do it.

I have a LAN network "A" with Internet access (192.168.1.0/24) and a WiFi network "B" (10.0.0.0/23) on a Cisco WLC infrastructure. There is no communication between them, but I have access to both.

I have a small router (AR300M) with the WAN eth connected to "A" and the WiFi module connected as client to "B". I would like to connect my devices to the WiFi network "B" and use my AR300M as gateway, to have Internet access.

I think there is either something driver level (can a WiFi client do routing?) or on the WiFi infrastructure that is blocking the forwarding of the packets. I know that in some cases relayd can be used to have a routed client setup, but this looks different. Any hints?

Cheers!

Well a couple of questions:

  1. Is the AR300M running Openwrt?
  2. Are the clients in 10.0.0.0/23 configured to use the AR300M as gateway?
  3. Does your LAN Network A has a route to 10.0.0.0/23 via the AR300M (otherwise you would need to NAT on the AR300M)

Thank you faser, here my answers:

  1. Yes, I'm on OpenWrt SNAPSHOT r15250-0cf3c5dd72.
  2. Yes.
  3. No, I can't control the LAN A configuration, I can only access it. This could be the missing point then, can you help with the NAT rule?

Well that would be a normal Openwrt config where you would have the Ethernet/LAN port of the AR300M as WAN and the Wifi in LAN.
I guess you would need to start sharing your network and firewall config of the AR300M so that people can advice.

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd26:8a53:a2ee::/48'

config interface 'wan'
        option ifname 'eth1'
        option proto 'static'
        option netmask '255.255.255.0'
        option gateway '192.168.1.1'
        option peerdns '0'
        option delegate '0'
        option ipaddr '192.168.1.101'

config interface 'wlancli'
        option delegate '0'
        option proto 'static'
        option ipaddr '10.0.0.1'
        option netmask '255.255.254.0'

/etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option synflood_protect '1'
        option forward 'DROP'

config zone
        option name 'ZWLANCLI'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option family 'ipv4'
        option forward 'ACCEPT'
        list network 'wlancli'

config zone
        option name 'ZWAN'
        option output 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        option family 'ipv4'
        option input 'DROP'
        option forward 'DROP'
        list network 'wan'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'ZWAN'
        option src 'ZWLANCLI'

I tried adding a NAT rule like:

config nat
        option name 'NAT to WiFi Clients'
        option src_ip '10.0.0.0/23'
        list proto 'all'
        option src 'ZWAN'
        option target 'MASQUERADE'

But it doesn't work...

This doesn't seem correct though, although I set ZWAN as the Outbound interface in the NAT rule GUI...

Actually you don't need a NAT rule (that may have been confusing wording from me). This normally is covered by the Forwarding and Masquerading rules.

So as you write it doesn't work. Can you enable logging on the LAN and WAN Firewall.
And then check what happens to a package that you sent from the LAN. E.g. do on a client ping 8.8.8.8 and run tcpdump -n -i any host 8.8.8.8 on the ar300m

1 Like

I see the packets in the tcpdump:

06:52:11.783133 IP 10.0.0.2 > 8.8.4.4: ICMP echo request, id 69, seq 1, length 64
06:52:11.783315 IP 192.168.1.101 > 8.8.4.4: ICMP echo request, id 69, seq 1, length 64
06:52:12.585340 IP 8.8.4.4 > 192.168.1.101: ICMP echo reply, id 69, seq 1, length 64
06:52:12.585467 IP 8.8.4.4 > 10.0.0.2: ICMP echo reply, id 69, seq 1, length 64

The firewall log doesn't show anything. I don't receive the echo reply on my client though...

That would indicate that in your LAN network something is not working.

Just run tcpdump -n -i wlancli host 8.8.8.8 and do the test again to ensure the package leaves the right interface.

tcpdump won't work with the uci name, you'll need to use the physical interface, e.g wlan0

2 Likes

Thanks for the correction.
Actually the question would be how the LAN is configured (didn't got that) from Original post.
@cyruz Maybe also post /etc/config/wireless (without your passwords) to clarify the interface name.
Or you check yourself with ip li

1 Like

Here the result, looks ok to me but I don't receive the echo reply on the client:

01:10:38.380825 IP 10.0.0.2 > 8.8.4.4: ICMP echo request, id 262, seq 1, length 64
01:10:39.167253 IP 8.8.4.4 > 10.0.0.2: ICMP echo reply, id 262, seq 1, length 64

This is something I observed before, when trying to do the same setup with an Arch Linux laptop in place of the OpenWRT router. It's like the routing as client of a WiFi network it's blocked somehow...

Well you would need to look in your Cisco network as the package is correctly leaving the Openwrt interface so for whatever reason it is swallowed in the Cisco network before reaching the client.
As you wrote you have no reject entries in your firewall logs.

1 Like

I can't, I have no control of the networks. At the moment I'm using a proxy on the router. This works but it's a pain.