WLAN to LAN bridge, no DHCP

Hey,

I want to bridge a WLAN network to LAN ports using a Fritzbox 4040 with OpenWRT.

I worked through the instructions on https://openwrt.org/docs/guide-user/network/wifi/relay_configuration . I installed relayd and luci-proto-relay and setup the interfaces according to instructions. Dnsmasq, firewall and odhcpd are disabled.

The WWAN interface gets an IP address from the main DHCP-server, so the WLAN connection should work. If I assign an static IP address from the main subnet to a PC, connected on a LAN port of the OpenWRT router I reach other systems in the main network and can surf the in web. So I think the bridge works.

BUT: I want to use DHCP on the PCs; but they get no IP address from the main DHCP server! I see no request on the DHCP server.

wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/soc/a000000.wifi'
	option htmode 'HT20'
	option disabled '0'
	option channel '6'
	option legacy_rates '1'
	option country 'DE'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/a800000.wifi'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

config wifi-iface
	option ssid 'SSID_XXXXX'
	option device 'radio0'
	option mode 'sta'
	option encryption 'wpa2'
	option eap_type 'peap'
	option auth 'EAP-MSCHAPV2'
	option identity 'XXXXX'
	option password 'XXXXX'
	option network 'wwan'

network


config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdba:2349:2bc4::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'
	option dns '8.8.8.8'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '1 2 3 4 0'

config interface 'wwan'
	option proto 'dhcp'

config interface 'repeater_bridge'
	option proto 'relay'
	list network 'lan'
	list network 'wwan'

Why are the DHCP requests not forwarded?

What version of OpenWrt are you using?

Is firewall zone correctly configured?

If you still have problems, perhaps review instructions in section 9.10 of the OpenWrt installation guide for HH5A v1.x PDF guide:
https://openwrt.ebilan.co.uk/viewtopic.php?f=7&t=266

If you're trying to truly bridge, all you should have to do is add the new client SSID to existing LAN interface and address the OpenWrt's LAN in the same subnet. Lastly, turn off DHCP - done.

Relay!=Bridge.
On the top of the page there are a few warnings that relay is not so guaranteed to work. So if you followed the instructions and still doesn't work, I suggest you try a different approach (WDS, Layer 2 GRE tunnels (“gretap”), or mesh networking).

2 Likes

I use firmware version OpenWrt 18.06.5 r7897-9d401013fc / LuCI openwrt-18.06 branch (git-19.309.48729-bc17ef6).

My firewall configuration:

config defaults
option syn_flood '1'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
 
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'repeater_bridge'
 
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'

option masq '1'
option mtu_fix '1'
option network 'wan wan6'
 
config forwarding
option src 'lan'
option dest 'wan'
 
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
 
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
 
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
 
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
 
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
 
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
 
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
 
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
 
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
 
config include
option path '/etc/firewall.user'
 
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option name 'bridgezone'
option forward 'ACCEPT'
option network 'lan wwan'

But as I said, I disabled the firewall.

I need this all in my company ... but now I’m at home. I rebuilt all with my OpenWRT router at home, also a Fritzbox 4040; and everything works. Even the DHCP request works and I get an IP from my ISP router.

I think I missed something in the firewall configuration at work. At home the firewall is still on, only odhcpd and dnsmasq are diabled. I’ll try it next week ...

@ lleachii
Where can I activate this bridge mode?

@ trendy

Yes, that’s true.

At work I have two devices just with LAN ports, but they are mobile and I want to use them in different rooms. I also have a given WPA2-Enterprise secured WLAN network. Does these mentioned alternatives work in this scenario?

I didnt say enable bridge mode. That;s because there's a bridge called LAN that already exists.

Again:

There's no magic button.

Then try to take a backup from the working model and restore it on the one that doesn't.

I tried it. But at work, it doesn't work. Maybe the combination with a WPA2-Enterprise WLAN ...
I will use the WWAN connection and an own subnet on the LAN ports ... this works.

Sorry, but my first OpenWRT installation is just 4 weeks ago.
I connect to the WLAN and the newly created WWAN interface gets an IP from the core net. And now? Set LAN interface under Network | Wireless | edit my SSID | interface configuration? Then the WWAN interface has no more an IP and the PC, connected to LAN, also gets no IP.

  • Make a client connection on WiFi
  • Go to Interfaces
  • Renumber LAN and add client SSID
  • Save and apply
  • Immediately get new DHCP and browse to new GUI IP

(You may have to do this while connected to wired Ethernet.)

If you need more (i.e. in-depth pictures), it may some time.

I did.

Bildschirmfoto zu 2020-01-15 14-59-52
What do you mean with "renumber LAN"?

Torsten

In order to access the OpenWrt after you've completed, the LAN must be renumbered to match the subnet you're connecting to.

You may wish to do this first - so you don't loose connectivity to the web GUI during this process.

Okay, LAN interface is now in same subnet as WLAN Client interface.
(Screnshots now taken from my router at home)
interfaces

Next I added the Client SSID to the LAN interface.Correct?

And disabled DHCP on the LAN interface.

Now I have no connection ... no DHCP and no ping to other systems in my LAN, even with a static IP.

Torsten

  • The WiFi and LAN should be in the same firewall zone
  • There should not be a separate interface for WLAN, it should be attahed to LAN

Not all devices support bridging wifi in station mode with the LAN.
In fact I only know the WRT54 with the Broadcom. So most likely this won't work, and this is why there are the workarounds with relayd, wds, etc.

I deleted the WWAN interface, attached the SSID to LAN and disabled DHCP on LAN.
Bildschirmfoto zu 2020-01-16 13-01-20

But I still get no IP from my DHCP server or reach other systems in the LAN.

Maybe trendy is right and the Fritzbox 4040 doesn't support bridging from WLAN to LAN.

It seems you are right and the Fritzbox 4040 doesn't support bridging from WLAN to LAN.