Routed Client with relayd (Pseudobridge)

In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. Most wireless drivers do not support bridging in client mode (see Bridged Client Mode Issues), therfore the traffic between LAN and the wireless client must be routed. The relayd package helps to implement a bridge-like behaviour with DHCP and Broadcast relaying comparable to the proprietary Broadcom WET mode.

Relayd Topology

The steps outlined below cover the process of putting the radio into client mode and linking it with the LAN interface with the help of relayd. It is important to notice that the 192.168.2.0 network in the above picture is not gonna be used by any clients. But it is required for relayd to get it working, the lan interface must be in a different subnet.

Configuration with Luci :!: When using Luci you also need to install the luci-proto-relay package.
OpenWrt PseudoBridge HowTo for TL-WR703n or any other device based on package relayd and luci-proto-relay.
Repeater configurations here! Both ways, bridged and simple repeater.

Configuration

The changes below assume an OpenWrt default configuration, the relevant files are:

Before doing any actual configuration, the wifi interface must be enabled in order to be able to scan for networks in the vincinity:

uci set wireless.@wifi-device[0].disabled=0
uci commit wireless
wifi

  • Set the disabled option to 0 (to enable wireless)
  • Save changed configuration file
  • Start wireless using the wifi command

Now we can list networks in range using:

  • in OpenWrt 10.03 and previous, use: iwlist scan
  • in 12.09, substituting your actual wireless interface for wlan0 if different: iw dev wlan0 scan
    • ifconfig lists all available interfaces if wlan0 is not correct

'iwlist scan' output example

root@OpenWrt:~# iwlist scan wlan0 Scan completed : Cell 01 - Address: 00:16:01:0A:B2:8F Channel:11 Frequency:2.462 GHz (Channel 11) Quality=70/70 Signal level=-33 dBm Encryption key:on ESSID:"xmff-relay" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s 24 Mb/s; 36 Mb/s; 54 Mb/s Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s Mode:Master Extra:tsf=000000173feaf1b7 Extra: Last beacon: 100ms ago IE: Unknown: 000A786D66662D72656C6179 IE: Unknown: 010882848B962430486C IE: Unknown: 03010B IE: Unknown: 2A0100 IE: Unknown: 2F0100 IE: Unknown: 32040C121860 IE: Unknown: DD090010180201F0000000 IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK Cell 02 - Address: 00:14:BF:16:D4:DF Channel:1 Frequency:2.412 GHz (Channel 1) Quality=23/70 Signal level=-87 dBm Encryption key:on ESSID:"Morpheus" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s 24 Mb/s; 36 Mb/s; 54 Mb/s Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s Mode:Master Extra:tsf=0000019e5b85538f Extra: Last beacon: 11580ms ago IE: Unknown: 00084D6F727068657573 IE: Unknown: 010882848B962430486C IE: Unknown: 030101 IE: Unknown: 2A0100 IE: Unknown: 2F0100 IE: Unknown: 32040C121860 IE: Unknown: DD06001018020004 IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK Cell 03 - Address: 00:1A:4F:8F:48:50 Channel:4 Frequency:2.427 GHz (Channel 4) Quality=26/70 Signal level=-84 dBm Encryption key:on ESSID:"FRITZ!Box Fon WLAN 7141" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=00000044688c8235 Extra: Last beacon: 500ms ago IE: Unknown: 0017465249545A21426F7820466F6E20574C414E2037313431 IE: Unknown: 010482848B96 IE: Unknown: 030104 IE: Unknown: 2A0107 IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK IE: Unknown: 32080C1218243048606C IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK IE: Unknown: DD0A0800280101000200FF0F IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00
  • ESSID is the name of the network
  • Channel specifies at which frequency the corresponding network is operating on
  • The lines starting with IE: report which encryption capabilities are supported by the access point:
    • IEEE 802.11i/WPA2 Version 1 indicates WPA2
    • WPA Version 1 indicates WPA
    • If both WPA and WPA2 are present, the network is most likely operating in WPA/WPA2 mixed mode

'iw dev wlan0 scan' output example

      root@OpenWrt:~# iw dev wlan0 scan
      BSS c1:9e:db:ff:af:ad(on wlan0)
              TSF: 71481395591 usec (0d, 19:51:21)
              freq: 2412
              beacon interval: 100 TUs
              capability: ESS Privacy ShortPreamble ShortSlotTime (0x0431)
              signal: -56.00 dBm
              last seen: 660 ms ago
              Information elements from Probe Response frame:
              SSID: HogardeDolly
              Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0
              DS Parameter set: channel 1
              ERP: <no flags>
              ERP D4.0: <no flags>
              RSN:     * Version: 1
                       * Group cipher: TKIP
                       * Pairwise ciphers: CCMP TKIP
                       * Authentication suites: PSK
                       * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
              Extended supported rates: 24.0* 36.0 48.0 54.0
              HT capabilities:
                      Capabilities: 0x11ce
                              HT20/HT40
                              SM Power Save disabled
                              RX HT40 SGI
                              TX STBC
                              RX STBC 1-stream
                              Max AMSDU length: 3839 bytes
                              DSSS/CCK HT40
                      Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                      Minimum RX AMPDU time spacing: 8 usec (0x06)
                      HT RX MCS rate indexes supported: 0-15
                      HT TX MCS rate indexes are undefined
              HT operation:
                       * primary channel: 1
                       * secondary channel offset: above
                       * STA channel width: any
                       * RIFS: 1
                       * HT protection: no
                       * non-GF present: 1
                       * OBSS non-GF present: 0
                       * dual beacon: 0
                       * dual CTS protection: 0
                       * STBC beacon: 0
                       * L-SIG TXOP Prot: 0
                       * PCO active: 0
                       * PCO phase: 0
              WPA:     * Version: 1
                       * Group cipher: TKIP
                       * Pairwise ciphers: CCMP TKIP
                       * Authentication suites: PSK
              WMM:     * Parameter version 1
                       * BE: CW 15-63, AIFSN 3
                       * BK: CW 15-1023, AIFSN 7
                       * VI: CW 7-15, AIFSN 1, TXOP 3008 usec
                       * VO: CW 3-7, AIFSN 1, TXOP 1504 usec
      BSS 31:ff:1e:36:ed:21(on wlan0)
              TSF: 36618930211 usec (0d, 10:10:18)
              freq: 2437
              beacon interval: 100 TUs
              capability: ESS Privacy ShortPreamble ShortSlotTime (0x0431)
              signal: -70.00 dBm
              last seen: 380 ms ago
              Information elements from Probe Response frame:
              SSID: uFi_06ED61
              Supported rates: 1.0* 2.0* 5.5* 6.0 9.0 11.0* 12.0 18.0
              DS Parameter set: channel 6
              Country: HK     Environment: bogus
                      Channels [1 - 13] @ 20 dBm
              ERP: <no flags>
              Extended supported rates: 24.0 36.0 48.0 54.0
              HT capabilities:
                      Capabilities: 0x0c
                              HT20
                              SM Power Save disabled
                              No RX STBC
                              Max AMSDU length: 3839 bytes
                              No DSSS/CCK HT40
                      Maximum RX AMPDU length 8191 bytes (exponent: 0x000)
                      Minimum RX AMPDU time spacing: No restriction (0x00)
                      HT RX MCS rate indexes supported: 0-7
                      HT TX MCS rate indexes are undefined
              HT operation:
                       * primary channel: 6
                       * secondary channel offset: no secondary
                       * STA channel width: 20 MHz
                       * RIFS: 0
                       * HT protection: nonmember
                       * non-GF present: 0
                       * OBSS non-GF present: 0
                       * dual beacon: 0
                       * dual CTS protection: 0
                       * STBC beacon: 0
                       * L-SIG TXOP Prot: 0
                       * PCO active: 0
                       * PCO phase: 0
              WPA:     * Version: 1
                       * Group cipher: TKIP
                       * Pairwise ciphers: CCMP TKIP
                       * Authentication suites: PSK
              RSN:     * Version: 1
                       * Group cipher: TKIP
                       * Pairwise ciphers: CCMP TKIP
                       * Authentication suites: PSK
                       * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
              WMM:     * Parameter version 1
                       * BE: CW 15-1023, AIFSN 3
                       * BK: CW 15-1023, AIFSN 7
                       * VI: CW 7-15, AIFSN 2, TXOP 3008 usec
                       * VO: CW 3-7, AIFSN 2, TXOP 1504 usec
              WPS:     * Version: 1.0
                       * Wi-Fi Protected Setup State: 2 (Configured)
                       * Response Type: 3 (AP)
                       * UUID: f23a0b52-48fc-5f20-9a5b-3cd27cf64566
                       * Manufacturer: ZTE
                       * Model: AR6003
                       * Model Number:
                       * Serial Number:
                       * Primary Device Type: 6-0050f204-1
                       * Device name: ZTE-AP
                       * Config methods: Label, Display, PBC, Keypad
                       * RF Bands: 0x1
      root@OpenWrt:~#

Step 1: Create an interface for the wireless station

Edit /etc/config/network and add a new interface, for example wwan, with proto set to dhcp:

config 'interface' 'wwan' option 'proto' 'dhcp'

Note that no ifname is required here since the wireless network will reference this section later.

UCI CLI commands:

uci set network.wwan=interface
uci set network.wwan.proto=dhcp
uci commit network

Step 2: Change the existing wireless network

Supposed we want to connect to the network called "xmff-relay", the previous scan result revealed the following information:

  • ESSID is xmff-relay
  • Channel is 11
  • The network uses WPA(1) mode


In /etc/config/wireless, locate the existing wifi-iface section and change its network option to point to the newly created interface. Change the mode option to sta (Station) and alter the encryption options to match those of the target network.

config 'wifi-device' 'radio0' option 'type' 'mac80211' … option 'channel' '11' config 'wifi-iface' option 'device' 'radio0' option 'network' 'wwan' option 'mode' 'sta' option 'ssid' 'xmff-relay' option 'encryption' 'psk' option 'key' 'secret-key'

UCI CLI commands:

uci set wireless.radio0.channel=11
uci set wireless.@wifi-iface[0].network=wwan
uci set wireless.@wifi-iface[0].mode=sta
uci set wireless.@wifi-iface[0].ssid=xmff-relay
uci set wireless.@wifi-iface[0].encryption=psk
uci set wireless.@wifi-iface[0].key=secret-key
uci commit wireless

Finally restart wifi using:

wifi down; wifi
Note that if you receive device or resource busy or command not found errors, you may need to issue a reboot command and reconnect before continuing. If you have connected successfully to the existing network, ifconfig should reveal that wlan0 (or whatever your wireless interface is called) has an IP address on the existing wireless network.

You should now be connected to the internet (you will need such connection for step 3).

Step 3: Install relayd

If the relayd package is not present on the system yet, install it using:

opkg update
opkg install relayd

In 12.09 and trunk versions it is also required to enable the relayd init script to function properly:

/etc/init.d/relayd enable

Step 4: Declare a relay interface

Back to /etc/config/network add another new interface, this time with the special protocol relay:

config 'interface' 'stabridge' option 'proto' 'relay' option 'network' 'lan wwan'

The existing lan network and the newly created wwan network are grouped together here.

UCI CLI commands:

uci set network.stabridge=interface
uci set network.stabridge.proto=relay
uci set network.stabridge.network="lan wwan"
uci commit network

Step 5: Add gateway and dns to the lan interface

Find the IP address of default gateway for the network you will be repeating. You should be connected to it since step 3, thus you can use the route command to find out:

route -n | grep UG

Then, still in the network configuration, add the following options under your lan interface, substituting gateway with the IP you just found:

config 'interface' 'lan' option gateway '192.168.1.1' option dns '192.168.1.1'

UCI CLI commands:

uci set network.lan.gateway=192.168.1.1
uci set network.lan.dns=192.168.1.1
uci commit network

Please note, the ip address of this router (and only this!) must be in a different subnet than your existing main network, otherwise relayd will not work. This will be changed later (see below in chapter "apply changes"). This safes us an additional change on administration PC to match subnet. Note also: On final configuration, any clients on OpenWrt will use the same ip range of your main network.

Step 6: Disable the local DHCP server

Since DHCP requests from LAN will be answered by the wireless AP the router is connecting to, the local DHCP server must be disabled in order to avoid collisions later on.

Edit /etc/config/dhcp and locate the existing DHCP pool for LAN and mark it as ignored:

config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '100' option 'limit' '150' option 'leasetime' '12h' option 'ignore' '1'

It also possible to simply remove or comment the whole section.

UCI CLI commands:

uci set dhcp.lan.ignore=1
uci commit dhcp

Step 7: Adjust the firewall

In contrast to true bridging, packets forwarded by relayd are handled by the normal routing system internally, this means they're also affected by firewall policies set on LAN.

Edit /etc/config/firewall and locate the existing LAN zone definition, add the new wwan to it in order to apply the same policies on LAN and the wireless client.

config 'zone' option 'name' 'lan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'ACCEPT' option 'network' 'lan wwan'

OpenWrt, by default, ships a firewall configuration which disallows forwarded traffic within the LAN zone, means packets are not allowed to travel between multiple interfaces within it.

As outlined above, the forward policy was set to ACCEPT and both the lan and the wwan networks are configured as members of the LAN zone.

UCI CLI commands:

uci set firewall.@zone[0].forward=ACCEPT
uci set firewall.@zone[0].network="lan wwan"
uci commit firewall

Step 8: Create a wireless network for repeating (optional)

If your equipment is multi-SSID capable, besides the wired interface, you can also bridge the network into a new wireless network. Just create a new network in access point (AP) mode under /etc/config/wireless:

config wifi-iface option device 'radio0' option mode 'ap' option ssid 'RepeaterWirelessNetwork' option encryption 'psk2' option key 'RepeaterWirelessPassword' option network 'lan'

UCI CLI commands:

uci set wireless.@wifi-iface[1].device=radio0
uci set wireless.@wifi-iface[1].network=lan
uci set wireless.@wifi-iface[1].mode=ap
uci set wireless.@wifi-iface[1].ssid=RepeaterWirelessNetwork
uci set wireless.@wifi-iface[1].encryption=psk2
uci set wireless.@wifi-iface[1].key=RepeaterWirelessPassword
uci commit wireless

Apply changes

Reload the DHCP service.

/etc/init.d/dnsmasq restart

Reload the firewall.

/etc/init.d/firewall restart

Reconfigure the wireless network.

wifi down; wifi

Finally we will need to change our ip on the lan interface.

It is required that the lan interface on this router is in another subnet than your main network .
If the target network uses the 192.168.1.0/24 subnet, you must change the LAN IP address (not the gateway) to a different subnet, e.g. 192.168.2.1 .
You can determine the assigned wifi address with the following command:
uci -P/var/state get network.wwan.ipaddr
. /lib/functions/network.sh; network_get_ipaddr ip_wwan wwan; echo $ip_wwan
UCI CLI commands to change the default LAN IP address to a different subnet is:
uci set network.lan.ipaddr=192.168.2.1
uci commit network
reboot

At this point, the relayed client configuration should be finished.

Enable access from client network

After this the relay should work, however you will have trouble reaching the router from the client network if the client ip is not changed. To get to it you'll need to manually set the IP address on your computer to an IP address on the same subnet (like 192.168.2.201 if you set the router lan ip to 192.168.2.1).

This is kind of tedious, but you can set things up so you can get it from the client network.

Run ifconfig and take note of the IP address assigned to wlan0. Then tell the relayd that this is the routers IP address with the following config in /etc/config/network:

config interface 'stabridge' option ipaddr '192.168.1.35'

UCI CLI commands:

uci set network.stabridge.ipaddr=192.168.1.35
uci commit network

You should make sure the main router is statically assigning the relay router the same IP address all the time.

Back to top

doc/recipes/relayclient.txt · Last modified: 2014/06/15 13:12 by spam-toaster