Routed Client with relayd (Pseudobridge)

In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. Most wireless drivers do not support bridging in client mode (see Bridged Client Mode Issues), therfore the traffic between LAN and the wireless client must be routed. The relayd package helps to implement a bridge-like behaviour with DHCP and Broadcast relaying comparable to the proprietary Broadcom WET mode.

Relayd Topology

The steps outlined below cover the process of putting the radio into client mode and linking it with the LAN interface with the help of relayd.

Configuration with Luci :!: When using Luci you also need to install the luci-proto-relay package.
OpenWrt PseudoBridge HowTo for TL-WR703n or any other device based on package relayd and luci-proto-relay.
Repeater configurations here! Both ways, bridged and simple repeater.


The changes below assume an OpenWrt default configuration, the relevant files are:

Before doing any actual configuration, the wifi interface must be enabled in order to be able to scan for networks in the vincinity:

uci set wireless.@wifi-device[0].disabled=0
uci commit wireless

  • Set the disabled option to 0 (to enable wireless)
  • Save changed configuration file
  • Start wireless using the wifi command

Now we can list networks in range using:

  • iwlist scan in OpenWrt 10.03 and previous,
  • iw dev wlan0 scan in 12.09, substituting wlan0 for your wireless interface (ifconfig lists the available interfaces).
root@OpenWrt:~# iwlist scan wlan0 Scan completed : Cell 01 - Address: 00:16:01:0A:B2:8F Channel:11 Frequency:2.462 GHz (Channel 11) Quality=70/70 Signal level=-33 dBm Encryption key:on ESSID:"xmff-relay" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s 24 Mb/s; 36 Mb/s; 54 Mb/s Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s Mode:Master Extra:tsf=000000173feaf1b7 Extra: Last beacon: 100ms ago IE: Unknown: 000A786D66662D72656C6179 IE: Unknown: 010882848B962430486C IE: Unknown: 03010B IE: Unknown: 2A0100 IE: Unknown: 2F0100 IE: Unknown: 32040C121860 IE: Unknown: DD090010180201F0000000 IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK Cell 02 - Address: 00:14:BF:16:D4:DF Channel:1 Frequency:2.412 GHz (Channel 1) Quality=23/70 Signal level=-87 dBm Encryption key:on ESSID:"Morpheus" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s 24 Mb/s; 36 Mb/s; 54 Mb/s Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s Mode:Master Extra:tsf=0000019e5b85538f Extra: Last beacon: 11580ms ago IE: Unknown: 00084D6F727068657573 IE: Unknown: 010882848B962430486C IE: Unknown: 030101 IE: Unknown: 2A0100 IE: Unknown: 2F0100 IE: Unknown: 32040C121860 IE: Unknown: DD06001018020004 IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK Cell 03 - Address: 00:1A:4F:8F:48:50 Channel:4 Frequency:2.427 GHz (Channel 4) Quality=26/70 Signal level=-84 dBm Encryption key:on ESSID:"FRITZ!Box Fon WLAN 7141" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=00000044688c8235 Extra: Last beacon: 500ms ago IE: Unknown: 0017465249545A21426F7820466F6E20574C414E2037313431 IE: Unknown: 010482848B96 IE: Unknown: 030104 IE: Unknown: 2A0107 IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK IE: Unknown: 32080C1218243048606C IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK IE: Unknown: DD0A0800280101000200FF0F IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00
  • ESSID is the name of the network
  • Channel specifies at which frequency the corresponding network is operating on
  • The lines starting with IE: report which encryption capabilities are supported by the access point:
    • IEEE 802.11i/WPA2 Version 1 indicates WPA2
    • WPA Version 1 indicates WPA
    • If both WPA and WPA2 are present, the network is most likely operating in WPA/WPA2 mixed mode

Step 1: Create an interface for the wireless station

Edit /etc/config/network and add a new interface, for example wwan, with proto set to dhcp:

config 'interface' 'wwan' option 'proto' 'dhcp'

Note that no ifname is required here since the wireless network will reference this section later.

UCI CLI commands:

uci set network.wwan=interface
uci set network.wwan.proto=dhcp
uci commit network

Step 2: Change the existing wireless network

Supposed we want to connect to the network called "xmff-relay", the previous scan result revealed the following information:

  • ESSID is xmff-relay
  • Channel is 11
  • The network uses WPA(1) mode

In /etc/config/wireless, locate the existing wifi-iface section and change its network option to point to the newly created interface. Change the mode option to sta (Station) and alter the encryption options to match those of the target network.

config 'wifi-device' 'radio0' option 'type' 'mac80211' … option 'channel' '11' config 'wifi-iface' option 'device' 'radio0' option 'network' 'wwan' option 'mode' 'sta' option 'ssid' 'xmff-relay' option 'encryption' 'psk' option 'key' 'secret-key'

UCI CLI commands:

uci set
uci set wireless.@wifi-iface[0].network=wwan
uci set wireless.@wifi-iface[0].mode=sta
uci set wireless.@wifi-iface[0].ssid=xmff-relay
uci set wireless.@wifi-iface[0].encryption=psk
uci set wireless.@wifi-iface[0].key=secret-key
uci commit wireless

Finally restart wifi using:

wifi down; wifi
You should now be connected to the internet (you will need such connection for step 3).

Step 3: Install relayd

If the relayd package is not present on the system yet, install it using:

opkg update
opkg install relayd

In 12.09 and trunk versions it is also required to enable the relayd init script to function properly:

/etc/init.d/relayd enable

Step 4: Declare a relay interface

Back to /etc/config/network add another new interface, this time with the special protocol relay:

config 'interface' 'stabridge' option 'proto' 'relay' option 'network' 'lan wwan'

The existing lan network and the newly created wwan network are grouped together here.

UCI CLI commands:

uci set network.stabridge=interface
uci set network.stabridge.proto=relay
uci set"lan wwan"
uci commit network

Step 5: Add gateway and dns to the lan interface

Find the IP address of default gateway for the network you will be repeating. You should be connected to it since step 3, thus you can use the route command:

route -n | grep UG

Then, still in the network configuration, add the following options under your lan interface, substituting gateway with the IP you just found:

config 'interface' 'lan' … option gateway '' option dns ''

UCI CLI commands:

uci set network.lan.gateway=
uci set network.lan.dns=
uci commit network

Step 6: Disable the local DHCP server

Since DHCP requests from LAN will be answered by the wireless AP the router is connecting to, the local DHCP server must be disabled in order to avoid collisions later on.

Edit /etc/config/dhcp and locate the existing DHCP pool for LAN and mark it as ignored:

config 'dhcp' 'lan' option 'interface' 'lan' option 'start' '100' option 'limit' '150' option 'leasetime' '12h' option 'ignore' '1'

It also possible to simply remove or comment the whole section.

UCI CLI commands:

uci set dhcp.lan.ignore=1
uci commit dhcp

Step 7: Adjust the firewall

In contrast to true bridging, packets forwarded by relayd are handled by the normal routing system internally, this means they're also affected by firewall policies set on LAN.

Edit /etc/config/firewall and locate the existing LAN zone definition, add the new wwan to it in order to apply the same policies on LAN and the wireless client.

config 'zone' option 'name' 'lan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'ACCEPT' option 'network' 'lan wwan'

OpenWrt, by default, ships a firewall configuration which disallows forwarded traffic within the LAN zone, means packets are not allowed to travel between multiple interfaces within it.

As outlined above, the forward policy was set to ACCEPT and both the lan and the wwan networks are configured as members of the LAN zone.

UCI CLI commands:

uci set firewall.@zone[0].forward=ACCEPT
uci set firewall.@zone[0].network="lan wwan"
uci commit firewall

Step 8: Create a wireless network for repeating (optional)

If your equipment is multi-SSID capable, besides the wired interface, you can also bridge the network into a new wireless network. Just create a new network in access point (AP) mode under /etc/config/wireless:

config wifi-iface option device 'radio0' option mode 'ap' option ssid 'RepeaterWirelessNetwork' option encryption 'psk2' option key 'RepeaterWirelessPassword' option network 'lan'

UCI CLI commands:

uci set wireless.@wifi-iface[1].device=radio0
uci set wireless.@wifi-iface[1].network=lan
uci set wireless.@wifi-iface[1].mode=ap
uci set wireless.@wifi-iface[1].ssid=RepeaterWirelessNetwork
uci set wireless.@wifi-iface[1].encryption=psk2
uci set wireless.@wifi-iface[1].key=RepeaterWirelessPassword
uci commit wireless

Apply changes

Reload the DHCP service.

/etc/init.d/dnsmasq restart

Reload the firewall.

/etc/init.d/firewall restart

Reconfigure the wireless network.

wifi down; wifi

If the target network uses the subnet, you must change the default LAN IP address to a different subnet, e.g. .
You can determine the assigned wifi address with the following command:
uci -P/var/state get network.wwan.ipaddr
. /lib/functions/; network_get_ipaddr ip_wwan wwan; echo $ip_wwan
UCI CLI commands to change the default LAN IP address to a different subnet is:
uci set network.lan.ipaddr=
uci commit network

At this point, the relayed client configuration should be finished.

Enable access from main network

After this the relay should work, however you will have trouble reaching the router from the main network. To get to it you'll need to manually set the IP address on your computer to an IP address on the same subnet (like if you set the router ip to

This is kind of tedious, but you can set things up so you can get it from the main network.

Run ifconfig and take note of the IP address assigned to wlan0. Then tell the relayd that this is the routers IP address with the following config.

uci set network.stabridge.ipaddr=
uci commit network

You should make sure the main router is statically assigning the relay router the same IP address all the time.

Back to top

doc/recipes/relayclient.txt · Last modified: 2014/01/12 00:57 by dllud