User Tools

Site Tools


doc:recipes:bridgedclient

Bridged Client

For routers based on the Broadcom chipset, the OpenWrt brcm-2.4 target supports bridged client mode through the proprietary wl.o driver.

This configuration will not work for routers that are on other platforms, such as Atheros chipsets - see Bridged Client Mode Issues. The UI will not display any warnings if this is attempted on a non-compatible chipset; it will silently fail in the fashion described in the "Issues" article. Some possible alternatives include Routed Client with relayd (Pseudobridge) or WDS (Atheros).

An advantage of this operation mode is the possibility to extend an existing wireless network without changing the existing setup.

WET Mode

In contrast to the routed client mode all broadcasts are forwarded via the wireless connection allowing all connected hosts to see each other as if they're connected to the same ethernet switch.

Configuration

The changes below assume an OpenWrt Kamikaze or Backfire version, the relevant files are:

In order to enable the bridged client mode, the mode of the existing wireless network is changed to sta and channel, SSID and encryption are changed to correspond to the wireless network we connect to.

Since the default configuration already bridges the wireless to the lan interface, no further changes are necessary.

Before doing any actual configuration, the wifi interface must be enabled in order to be able to scan for networks in the vincinity:

uci del wireless.wl0.disabled
uci commit wireless
uci set wireless.wl0.country=DE
wifi

  • Remove the disable 1 option from the wireless configuration
  • Save changed configuration file
  • Select your country, this is important because some countries don't support wifi channels 12,13,etc
  • Start wireless using the wifi command

Now we can issue the iwlist scan command to list networks in range, the required information is highlighted:

iwlist wl0 scan wl0 Scan completed : Cell 01 - Address: 00:1D:19:0E:03:8F ESSID:"Vodafone-0E0301" Mode:Managed Channel:9 Quality:3/5 Signal level:-69 dBm Noise level:-92 dBm IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : TKIP CCMP Authentication Suites (1) : PSK Preauthentication Supported IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : TKIP CCMP Authentication Suites (1) : PSK Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s 11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s Cell 02 - Address: 00:1A:4F:8F:48:50 ESSID:"FRITZ!Box Fon WLAN 7141" Mode:Managed Channel:4 Quality:1/5 Signal level:-83 dBm Noise level:-92 dBm IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s Cell 03 - Address: 00:22:2D:0E:58:F1 ESSID:"WLAN_SUHA" Mode:Managed Channel:2 Quality:4/5 Signal level:-61 dBm Noise level:-92 dBm Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s 11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s
  • ESSID is the name of the network
  • Channel specifies at which frequency the corresponding network is operating on
  • The lines starting with IE: report which encryption capabilities are supported by the access point:
    • IEEE 802.11i/WPA2 Version 1 indicates WPA2
    • WPA Version 1 indicates WPA
    • If both WPA and WPA2 are present, the network is most likely operating in WPA/WPA2 mixed mode
    • If no IE: appears after the scanning like in Cell 03 network from the example, the wireless could be using WEP mode.

Step 1: Configure wireless

Supposed we want to connect to the network called "Vodafone-0E0301", the previous scan result revealed the following information:

  • ESSID is Vodafone-0E0301
  • Channel is 9
  • The network uses WPA/WPA2 mixed mode


Edit /etc/config/wireless and change the mode of the existing wireless network to sta, the channel to 9 and the ESSID to Vodafone-0E0301:

config 'wifi-device' 'wl0' option 'type' 'broadcom' option 'country' 'DE' option 'channel' '9' config 'wifi-iface' option 'device' 'wl0' option 'network' 'lan' option 'mode' 'sta' option 'ssid' 'Vodafone-0E0301' option 'encryption' 'psk2' option 'key' 'secret-key'
  • encryption psk2 requests WPA2-PSK for the client connection (see WPA modes)
  • key secret-key specifies the secret encryption key used on this wireless network


Proceed with calling wifi to apply the new wireless configuration and check the result using iwconfig:

wifi
iw dev wl0 link
Connected to 00:1D:19:0E:03:8F (on wl0)
	SSID: tesla-5g-bcm
	freq: 2432
	RX: 49716623 bytes (211199 packets)
	TX: 22865049 bytes (98041 packets)
	signal: -43 dBm
	tx bitrate: 300.0 MBit/s MCS 15 40MHz short GI

	bss flags:	short-slot-time
	dtim period:	0
	beacon int:	100
  * //Access Point: 00:1D:19:0E:03:8F// indicates a successful connection
  * //Access Point: Not-Associated// would indicate a connection or authentication problem\\

If the target network uses the 192.168.1.0/24 subnet, you must change the default LAN IP address to the same subnet, e.g. to 192.168.1.10

At this point hosts connected to the LAN ports of the OpenWrt router should be able to receive DHCP directly from the remote access point.

Step 2: Disable the DHCP server

Since the device is operating as client in another network and relays all communication from the associated Access Point to its LAN hosts, the local DHCP server should be disabled to avoid collisions.

Edit /etc/config/dhcp and set the predefined LAN DHCP pool to ignore:

config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '100' option 'limit' '150' option 'leasetime' '12h' option 'ignore' '1'

Apply the change by restarting dnsmasq:

/etc/init.d/dnsmasq restart

Step 3: Disable the firewall

This step is not strictly required but disabling the firewall saves resources when operating as a dumb bridge - there is no need to filter traffic running from wifi to ethernet and back.

Stop and disable the firewall by using the init script:

/etc/init.d/firewall stop
/etc/init.d/firewall disable

Step 4: Specify gateway

In my case, after following this recipe through all three steps, the network was working fine, but internet was not accessible. To make internet work I needed to additionally add a gateway route (in my case 192.168.1.1) and to make domains resolve I needed to add a dns server address (for example 8.8.8.8) for the lan interface in /etc/config/network:

config 'interface' 'lan' … option 'dns' '8.8.8.8' option 'gateway' '192.168.1.1'

See also

For more on wireless client mode see clientmode

doc/recipes/bridgedclient.txt · Last modified: 2014/12/01 13:36 by jow