How to bridge Wifi and LAN on Fonera+

[westbywest]

As described in this post, I was able to get Gargoyle beta4 working on a Fon+ (model 2201), which I've set up as a broadband router. The QoS is working great.
http://gargoyle-router.com/phpbb/viewto ... t=51&p=155

One peculiarity: the LAN port and Wifi port, although both served by the same 192.168.1.x net and the same DHCP server, are not bridged. That is, I can connect host X to wifi and host Y to the LAN port, and I can ping hosts X and Y from the Fonera+ directly. However, I can not ping host X from host Y, failing on "Destination Port Unreachable." Likewise, TCP connections b/w the wifi and LAN port. I do not have the "isolate wifi clients" option checked.

I'm not immediately seeing the problem, but it looks as tho the virtual interface "br-lan" should include more than than just the physical interface eth0.0?

Here my current /etc/config/network

Code: Select all

config 'interface' 'loopback'
	option 'ifname' 'lo'
	option 'proto' 'static'
	option 'ipaddr' '127.0.0.1'
	option 'netmask' '255.0.0.0'

config 'interface' 'lan'
	option 'type' 'bridge'
	option 'proto' 'static'
	option 'ipaddr' '192.168.1.1'
	option 'netmask' '255.255.255.0'
	option 'ifname' 'eth0.0'
        option dns      '192.168.1.1 <DNS1> <DNS2>'

config 'interface' 'wan'
	option 'ifname' 'eth0.1'
	option 'proto' 'static'
	option 'ipaddr' '<my IP>''
	option 'netmask' '255.255.255.0'
        option gateway  '<my gw>'

Also my current /etc/config/wireless

Code: Select all

config 'wifi-device' 'wifi0'
	option 'type' 'atheros'
	option 'channel' '10'

config 'wifi-iface' 'cfg2'
	option 'device' 'wifi0'
	option 'mode' 'ap'
	option 'network' 'lan'
	option 'ssid' 'foofoo'
	option 'encryption' 'none'

Here is the output of ifconfig

Code: Select all

ath0      Link encap:Ethernet  HWaddr 00:18:...:1D  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:39631 errors:0 dropped:19819 overruns:0 frame:0
          TX packets:19343 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8368626 (7.9 MiB)  TX bytes:5322818 (5.0 MiB)

br-lan    Link encap:Ethernet  HWaddr 00:18:...:1C  
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:19999 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19387 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4069257 (3.8 MiB)  TX bytes:5374154 (5.1 MiB)

eth0      Link encap:Ethernet  HWaddr 00:18:...:1C  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20706 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20652 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5021881 (4.7 MiB)  TX bytes:4642646 (4.4 MiB)
          Interrupt:255 Base address:0x1000 

eth0.0    Link encap:Ethernet  HWaddr 00:18:...:1C  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:216 errors:0 dropped:0 overruns:0 frame:0
          TX packets:281 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:31848 (31.1 KiB)  TX bytes:69518 (67.8 KiB)

eth0.1    Link encap:Ethernet  HWaddr 00:18:...:1C  
          inet addr:<my ip>  Bcast:<my bcast>  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:20490 errors:0 dropped:0 overruns:0 frame:0
          TX packets:20370 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4658737 (4.4 MiB)  TX bytes:4527033 (4.3 MiB)

imq0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          UP RUNNING NOARP  MTU:16000  Metric:1
          RX packets:17979 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17979 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:11000 
          RX bytes:4350739 (4.1 MiB)  TX bytes:4350739 (4.1 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:4456 (4.3 KiB)  TX bytes:4456 (4.3 KiB)

wifi0     Link encap:UNSPEC  HWaddr 00-18-...-1D-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:46253 errors:0 dropped:0 overruns:0 frame:179
          TX packets:19659 errors:134 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:195 
          RX bytes:6930412 (6.6 MiB)  TX bytes:5782249 (5.5 MiB)
          Interrupt:3 Memory:b0000000-b00ffffc 

And here is the output of route

Code: Select all

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 br-lan
<wan subnet>     *               255.255.255.0   U     0      0        0 eth0.1
default         <my gw> 0.0.0.0         UG    0      0        0 eth0.1

[westbywest]

Ack, it looks like the wired LAN and WAN ports on the Fonera+ share the same MAC, as ifconfig only lists 2 MACs for a device with (logically) 3 interfaces. Might this be a reason why I can't ping from the wired LAN to the wireless LAN?

Code: Select all

eth0      Link encap:Ethernet  HWaddr 00:18:...:1C  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1991069 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1769883 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1430031874 (1.3 GiB)  TX bytes:336056385 (320.4 MiB)
          Interrupt:255 Base address:0x1000 

eth0.0    Link encap:Ethernet  HWaddr 00:18:...:1C  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:802 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4909 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:87698 (85.6 KiB)  TX bytes:922803 (901.1 KiB)

eth0.1    Link encap:Ethernet  HWaddr 00:18:...:1C  
          inet addr:<my IP>  Bcast:<my bcast>  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1990267 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1764973 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1398087072 (1.3 GiB)  TX bytes:330614849 (315.2 MiB)

Would I have to create a virtual interface for the wired LAN, and then bridge between that and the wireless LAN?

[FRiC]

It must be a La Fonera / atheros thing, since on my ASUS where all three interfaces have the same MAC, and on my WRT54GL where the LAN and WAN have the same MAC and wireless has a different MAC. I can ping normally.

[Eric]

I haven't had a chance to check this on my Fon+ yet, but I'll certainly look into it tonight. I can confirm that this isn't an issue on Broadcom routers, however. I'm willing to bet that the LAN & WLAN are bridged. Check the output of:

Code: Select all

brctl show br-lan

I bet you'll see both eth0.0 and ath0 under interfaces, indicating that they are, in fact, bridged.

Anyway, I have no idea why you shouldn't be able to ping the LAN from the WLAN, but as I said, I'll check this tonight.

[westbywest]

Hello, thanks for the suggestion on brctl. I had actually just found out about that tool yesterday, and indeed it does indicate bridging between ath0 (wifi) and eth0.0 (wired LAN).

Code: Select all

root@frida:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          8000.001884a0b01c       no              ath0
                                                        eth0.0

So, going on a hunch, I turned on STP (spanning tree protocol)...

Code: Select all

brctl stp br-lan on

...but still no effect. Can't ping between wireless LAN and wired LAN clients. Incidentally, the blurb "br-lan: starting userspace STP failed, starting kernel STP" appeared on dmesg after doing this, so maybe STP didn't actually get enabled.

Here is the STP info:

Code: Select all

root@frida:/tmp# brctl showstp br-lan
br-lan
 bridge id              8000.001884a0b01c
 designated root        8000.001884a0b01c
 root port                 0                    path cost                  0
 max age                  20.00                 bridge max age            20.00
 hello time                2.00                 bridge hello time          2.00
 forward delay             0.00                 bridge forward delay       0.00
 ageing time             300.00
 hello timer               1.03                 tcn timer                  0.00
 topology change timer     0.00                 gc timer                   0.03
 flags


ath0 (2)
 port id                8002                    state                forwarding
 designated root        8000.001884a0b01c       path cost                100
 designated bridge      8000.001884a0b01c       message age timer          0.00
 designated port        8002                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags

eth0.0 (1)
 port id                8001                    state                forwarding
 designated root        8000.001884a0b01c       path cost                100
 designated bridge      8000.001884a0b01c       message age timer          0.00
 designated port        8001                    forward delay timer        0.00
 designated cost           0                    hold timer                 0.00
 flags

And here is the list of connected client MACs, showing several hosts on the wifi (port 2) and one host connected to the LAN port (port 1).

Code: Select all

root@frida:/tmp# brctl showmacs br-lan
port no mac addr                is local?       ageing timer
  2     00:0c:...:f0       no                 0.02
  1     00:18:...:1c       yes                0.00
  2     00:18:...:1d       yes                0.00
  1     00:1f:...:50       no               101.84
  2     00:23:...:82       no               119.97
  2     00:23:...:44       no                 3.10

Thanks for your assistance!

[Eric]

I think the problem is that in the 2.6 kernel, packets going between interfaces, even interfaces that are bridged, go through iptables, while this is not the case for 2.4 kernels (which are used by broadcom devices). The default iptables configuration for openwrt does not allow the packets through, but this is very easy to correct.

The problem should be corrected in the latest bleeding edge firmware. The fix was to add a rule to iptables that allows all traffic that originates from the lan and is going back to the lan:

Code: Select all

iptables -I zone_lan_forward -i br-lan -o br-lan -j ACCEPT

[cotarelo]

Bump!

I have exactly the same problem... Here is my iptables list in any case is some rule (I can't see it)

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
bw_ingress  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
syn_flood  tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN
input_rule  all  --  anywhere             anywhere
input      all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
bw_ingress  all  --  anywhere             anywhere
zone_wan_MSSFIX  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
forwarding_rule  all  --  anywhere             anywhere
forward    all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere
output_rule  all  --  anywhere             anywhere
output     all  --  anywhere             anywhere

Chain bw_ingress (2 references)
target     prot opt source               destination
           all  --  anywhere             anywhere            bandwidth --id total1-download-2-449 --type combined --current_bandwidth 2344 --reset_interval 2 --reset_time 2 --intervals_to_save 449
           all  --  anywhere             anywhere            bandwidth --id bdist1-download-minute-15 --type individual_local --subnet 192.168.1.0/24 --reset_interval minute --intervals_to_save 15
           all  --  anywhere             anywhere            bandwidth --id total2-download-minute-359 --type combined --current_bandwidth 64032 --reset_interval minute --intervals_to_save 359
           all  --  anywhere             anywhere            bandwidth --id bdist2-download-900-24 --type individual_local --subnet 192.168.1.0/24 --reset_interval 900 --reset_time 900 --intervals_to_save 24
           all  --  anywhere             anywhere            bandwidth --id total3-download-180-479 --type combined --current_bandwidth 265717 --reset_interval 180 --reset_time 180 --intervals_to_save 479
           all  --  anywhere             anywhere            bandwidth --id bdist3-download-hour-24 --type individual_local --subnet 192.168.1.0/24 --reset_interval hour --intervals_to_save 24
           all  --  anywhere             anywhere            bandwidth --id total4-download-7200-359 --type combined --current_bandwidth 4588735 --reset_interval 7200 --reset_time 7200 --intervals_to_save 359
           all  --  anywhere             anywhere            bandwidth --id bdist4-download-day-31 --type individual_local --subnet 192.168.1.0/24 --reset_interval day --intervals_to_save 31
           all  --  anywhere             anywhere            bandwidth --id total5-download-day-365 --type combined --current_bandwidth 10920321 --reset_interval day --intervals_to_save 365
           all  --  anywhere             anywhere            bandwidth --id bdist5-download-month-12 --type individual_local --subnet 192.168.1.0/24 --reset_interval month --intervals_to_save 12

Chain forward (1 references)
target     prot opt source               destination
zone_lan_forward  all  --  anywhere             anywhere

Chain forwarding_lan (1 references)
target     prot opt source               destination

Chain forwarding_rule (1 references)
target     prot opt source               destination

Chain forwarding_wan (1 references)
target     prot opt source               destination

Chain input (1 references)
target     prot opt source               destination
zone_lan   all  --  anywhere             anywhere

Chain input_lan (1 references)
target     prot opt source               destination

Chain input_rule (1 references)
target     prot opt source               destination

Chain input_wan (1 references)
target     prot opt source               destination

Chain output (1 references)
target     prot opt source               destination
zone_lan_ACCEPT  all  --  anywhere             anywhere
zone_wan_ACCEPT  all  --  anywhere             anywhere

Chain output_rule (1 references)
target     prot opt source               destination

Chain reject (3 references)
target     prot opt source               destination
REJECT     tcp  --  anywhere             anywhere            reject-with tcp-reset
REJECT     all  --  anywhere             anywhere            reject-with icmp-port-unreachable

Chain syn_flood (1 references)
target     prot opt source               destination
RETURN     tcp  --  anywhere             anywhere            tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP       all  --  anywhere             anywhere

Chain zone_lan (1 references)
target     prot opt source               destination
input_lan  all  --  anywhere             anywhere
zone_lan_ACCEPT  all  --  anywhere             anywhere

Chain zone_lan_ACCEPT (2 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain zone_lan_DROP (0 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere

Chain zone_lan_MSSFIX (0 references)
target     prot opt source               destination
TCPMSS     tcp  --  anywhere             anywhere            tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU

Chain zone_lan_REJECT (1 references)
target     prot opt source               destination
reject     all  --  anywhere             anywhere
reject     all  --  anywhere             anywhere

Chain zone_lan_forward (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
zone_wan_ACCEPT  all  --  anywhere             anywhere
forwarding_lan  all  --  anywhere             anywhere
zone_lan_REJECT  all  --  anywhere             anywhere

Chain zone_wan (0 references)
target     prot opt source               destination
ACCEPT     icmp --  anywhere             anywhere            icmp echo-request
ACCEPT     udp  --  anywhere             anywhere            udp dpt:bootpc
input_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere

Chain zone_wan_ACCEPT (2 references)
target     prot opt source               destination

Chain zone_wan_DROP (0 references)
target     prot opt source               destination

Chain zone_wan_MSSFIX (1 references)
target     prot opt source               destination

Chain zone_wan_REJECT (2 references)
target     prot opt source               destination

Chain zone_wan_forward (0 references)
target     prot opt source               destination
forwarding_wan  all  --  anywhere             anywhere
zone_wan_REJECT  all  --  anywhere             anywhere