You are here: OpenWrt Wiki » Documentation » Recipes » Bridged Client

Bridged Client

For routers based on the Broadcom chipset, the OpenWrt brcm-2.4 target supports bridged client mode through the proprietary wl.o driver.

This configuration will not work for routers that are on other platforms, such as Atheros chipsets - see Bridged Client Mode Issues. The UI will not display any warnings if this is attempted on a non-compatible chipset; it will silently fail in the fashion described in the "Issues" article. Some possible alternatives include Routed Client with relayd (Pseudobridge) or WDS (Atheros).

An advantage of this operation mode is the possibility to extend an existing wireless network without changing the existing setup.

In contrast to the routed client mode all broadcasts are forwarded via the wireless connection allowing all connected hosts to see each other as if they're connected to the same ethernet switch.

Configuration

The changes below assume an OpenWrt Kamikaze or Backfire version, the relevant files are:

In order to enable the bridged client mode, the mode of the existing wireless network is changed to sta and channel, SSID and encryption are changed to correspond to the wireless network we connect to.

Since the default configuration already bridges the wireless to the lan interface, no further changes are necessary.

Before doing any actual configuration, the wifi interface must be enabled in order to be able to scan for networks in the vincinity:

uci del wireless.wl0.disabled
uci commit wireless
uci set wireless.wl0.country=DE
wifi

Remove the disable 1 option from the wireless configuration
Save changed configuration file
Select your country, this is important because some countries don't support wifi channels 12,13,etc
Start wireless using the wifi command

Now we can issue the iwlist scan command to list networks in range, the required information is highlighted:

iwlist wl0 scan
wl0       Scan completed :
          Cell 01 - Address: 00:1D:19:0E:03:8F
                    ESSID:"Vodafone-0E0301"
                    Mode:Managed
                    Channel:9
                    Quality:3/5  Signal level:-69 dBm  Noise level:-92 dBm
                    IE: IEEE 802.11i/WPA2 Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : TKIP CCMP
                        Authentication Suites (1) : PSK
                       Preauthentication Supported
                    IE: WPA Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (2) : TKIP CCMP
                        Authentication Suites (1) : PSK
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s
          Cell 02 - Address: 00:1A:4F:8F:48:50
                    ESSID:"FRITZ!Box Fon WLAN 7141"
                    Mode:Managed
                    Channel:4
                    Quality:1/5  Signal level:-83 dBm  Noise level:-92 dBm
                    IE: WPA Version 1
                        Group Cipher : TKIP
                        Pairwise Ciphers (1) : TKIP
                        Authentication Suites (1) : PSK
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s 
          Cell 03 - Address: 00:22:2D:0E:58:F1
                    ESSID:"WLAN_SUHA"
                    Mode:Managed
                    Channel:2
                    Quality:4/5  Signal level:-61 dBm  Noise level:-92 dBm
                    Encryption key:on
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s
                              11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s
                              48 Mb/s; 54 Mb/s

ESSID is the name of the network
Channel specifies at which frequency the corresponding network is operating on
The lines starting with IE: report which encryption capabilities are supported by the access point:
- IEEE 802.11i/WPA2 Version 1 indicates WPA2
- WPA Version 1 indicates WPA
- If both WPA and WPA2 are present, the network is most likely operating in WPA/WPA2 mixed mode
- If no IE: appears after the scanning like in Cell 03 network from the example, the wireless could be using WEP mode.

Step 1: Configure wireless

Supposed we want to connect to the network called "Vodafone-0E0301", the previous scan result revealed the following information:

ESSID is Vodafone-0E0301
Channel is 9
The network uses WPA/WPA2 mixed mode

Edit /etc/config/wireless and change the mode of the existing wireless network to sta, the channel to 9 and the ESSID to Vodafone-0E0301:

config 'wifi-device' 'wl0'
        option 'type'       'broadcom'
        option 'country'    'DE'
        option 'channel'    '9'

config 'wifi-iface'
        option 'device'     'wl0'
        option 'network'    'lan'
        option 'mode'       'sta'
        option 'ssid'       'Vodafone-0E0301'
        option 'encryption' 'psk2'
        option 'key'        'secret-key'

encryption psk2 requests WPA2-PSK for the client connection (see WPA modes)
key secret-key specifies the secret encryption key used on this wireless network

Proceed with calling wifi to apply the new wireless configuration and check the result using iwconfig:

wifi
iw dev wl0 link
Connected to 00:1D:19:0E:03:8F (on wl0)
	SSID: tesla-5g-bcm
	freq: 2432
	RX: 49716623 bytes (211199 packets)
	TX: 22865049 bytes (98041 packets)
	signal: -43 dBm
	tx bitrate: 300.0 MBit/s MCS 15 40MHz short GI

	bss flags:	short-slot-time
	dtim period:	0
	beacon int:	100
  * //Access Point: 00:1D:19:0E:03:8F// indicates a successful connection
  * //Access Point: Not-Associated// would indicate a connection or authentication problem\\

If the target network uses the 192.168.1.0/24 subnet, you must change the default LAN IP address to the same subnet, e.g. to 192.168.1.10

At this point hosts connected to the LAN ports of the OpenWrt router should be able to receive DHCP directly from the remote access point.

Step 2: Disable the DHCP server

Since the device is operating as client in another network and relays all communication from the associated Access Point to its LAN hosts, the local DHCP server should be disabled to avoid collisions.

Edit /etc/config/dhcp and set the predefined LAN DHCP pool to ignore:

config 'dhcp' 'lan'
        option 'interface'  'lan'
        option 'start'      '100'
        option 'limit'      '150'
        option 'leasetime'  '12h'
        option 'ignore'     '1'

Apply the change by restarting dnsmasq:

/etc/init.d/dnsmasq restart

Step 3: Disable the firewall

This step is not strictly required but disabling the firewall saves resources when operating as a dumb bridge - there is no need to filter traffic running from wifi to ethernet and back.

Stop and disable the firewall by using the init script:

/etc/init.d/firewall stop
/etc/init.d/firewall disable

Step 4: Specify gateway

In my case, after following this recipe through all three steps, the network was working fine, but internet was not accessible. To make internet work I needed to additionally add a new config section - a gateway route (in my case 192.168.1.1) for the lan interface in /etc/config/network:

config 'route'
	option 'interface' 'lan'
	option 'target' '0.0.0.0'
	option 'netmask' '0.0.0.0'
	option 'gateway' '192.168.1.1'

And to make domains resolve I needed to add a dns server address (for example 8.8.8.8) in /etc/config/network to the lan interface section:

config 'interface' 'lan'
	…
	option 'dns' '8.8.8.8'

OpenWrt

Wiki Search

Actions

Donate

Translations