User Tools

Site Tools


Routed Client

In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. Most wireless drivers do not support bridging in client mode (see Bridged Client Mode Issues), therefore the traffic between LAN and the wireless client must be routed.


If you have no administrative access (e.g. ability to configure static route entries) to the target Access Point, the local LAN subnet must be masqueraded to ensure proper routing.
When configuration of the target Access Point is possible, start with the masqueraded configuration below and proceed with the steps in the Using routing section to define a fully routed setup.


The steps outlined below cover the process of putting the radio into client mode and reusing the existing WAN interface and its NAT firewall rules to connect to the target network.


The changes below assume an OpenWrt default configuration, the relevant files are:

Before doing any actual configuration, the wifi interface must be enabled and put into station mode in order to be able to scan for networks in the vincinity:

uci del wireless.@wifi-device[0].disabled
uci del wireless.@wifi-iface[0].network
uci set wireless.@wifi-iface[0].mode=sta
uci commit wireless

  • Remove the disable 1 option from the wireless configuration
  • Set the mode option to station
  • Save changed configuration file
  • Start wireless using the wifi command

Now we can issue the iwlist scan command to list networks in range, the required information is highlighted:

root@OpenWrt:~# iwlist scan wlan0 Scan completed : Cell 01 - Address: 00:1D:19:0E:03:8F ESSID:"Vodafone-0E0301" Mode:Managed Channel:9 Quality:3/5 Signal level:-69 dBm Noise level:-92 dBm IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : TKIP CCMP Authentication Suites (1) : PSK Preauthentication Supported IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (2) : TKIP CCMP Authentication Suites (1) : PSK Encryption key:on Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 6 Mb/s; 9 Mb/s 11 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s; 36 Mb/s 48 Mb/s; 54 Mb/s
  • ESSID is the name of the network
  • Channel specifies at which frequency the corresponding network is operating on
  • The lines starting with IE: report which encryption capabilities are supported by the access point:
    • IEEE 802.11i/WPA2 Version 1 indicates WPA2
    • WPA Version 1 indicates WPA
    • If both WPA and WPA2 are present, the network is most likely operating in WPA/WPA2 mixed mode
    • If no IE: appears after the scanning, the wireless network could be using WEP mode.
If you see a message like Device or resource busy, a wpa_supplicant instance is most likely locking the interface. In this case kill the running process and repeat the scan:
killall -9 wpa_supplicant
iwlist scan

Step 1: Change the WAN interface

Edit /etc/config/network and change the WAN interface by editing the existing ifname option:

config 'interface' 'wan' option 'proto' 'dhcp'

Note that the wan network section must not contain any ifname option.

Step 2: Change the existing wireless network

Supposed we want to connect to the network called "Vodafone-0E0301", the previous scan result revealed the following information:

  • ESSID is Vodafone-0E0301
  • Channel is 9
  • The network uses WPA/WPA2 mixed mode

In /etc/config/wireless, locate the existing wifi-iface section and change its network option to point to the WAN interface. Change the mode option to sta (Station) and alter the SSID and encryption options to match those of the target network. Channel doesn't necessary have to match.

config 'wifi-device' 'wlan0' option 'type' 'broadcom' option 'channel' '9' config 'wifi-iface' option 'device' 'wlan0' option 'network' 'wan' option 'mode' 'sta' option 'ssid' 'Vodafone-0E0301' option 'encryption' 'psk2' option 'key' 'secret-key'

Apply changes

Reconfigure the wireless network.

ifup wan

If the target network uses the subnet, you must change the default LAN IP address to a different subnet, e.g. .
You can determine the assigned WAN address with the following command:
. /lib/functions/; network_get_ipaddr IP_WAN wan; echo $IP_WAN

At this point, the masqueraded client configuration should be finished.

Using routing

In contrast to masquerading, a fully routed setup allows access from hosts of the Access Point network to hosts in the client network by using the client routers WAN IP address as gateway for the client network behind it.

This kind of network topology is not possible when the client does NAT, since the addresses behind the NAT are not reachable from the outside, unless additional measures like port forwardings are configured.

Routed network topology

This section covers the process of changing the firewall config to allow incoming WAN traffic and disabling masquerading in the corresponding zone.

The fully routed client configuration is based on the masqueraded config and assumes an already working client setup.
Only proceed with the routed configuration below if you have the ability to reconfigure the remote Access Point!


In addition to the files in the masqueraded setup, the relevant config files are:

Step 1: Change the firewall configuration

Edit the /etc/config/firewall file and locate the WAN zone definition. Disable masquerading and set the incoming traffic policy to ACCEPT:

config 'zone' option 'name' 'wan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'mtu_fix' '1' option 'masq' '0'

Proceed with adding a new forwarding section allowing traffic flow from WAN to LAN:

config 'forwarding' option 'src' 'wan' option 'dest' 'lan'

Step 2: Configure the Access Point

In order to make the local LAN subnet reachable for clients in the Access Point subnet, you need to configure a static route pointing to our LAN network on the AP. How to configure leases and routes on the Access Point differs from model to model. In doubt, consult the operation manual.

Since static routes need a static gateway to work properly, the WAN IP address of the client mode wireless must be fixed, there are two possible ways to achieve that:

  • Use a static DHCP lease - the AP will associate the MAC address of the requesting client mode wireless adapter to a fixed IP address in the AP network, e.g.
  • Use a fixed IP on WAN - the client mode wireless adapter will not request DHCP at all but use a fixed IP configuration instead.

When using the fixed IP approach, the WAN interface in /etc/config/network must be changed from the DHCP protocol to static:

config 'interface' 'wan' option 'proto' 'static' option 'ipaddr' '' option 'netmask' ''

Make sure that the address range does not overlap with the LAN network.
You must change the LAN address if it is in the same subnet, e.g. to

After fixing the WAN address, a static route must be added to the Access Point with the following information:

  • IP address: (IP address of our LAN interface)
  • Destination LAN NET (required in DD-WRT): (our LAN interface subnet)
  • Netmask: (Netmask of our LAN interface)
  • Gateway: (IP address of our WAN interface)

You may also need to set the policy of the firewall of the Access Point to 'ACCEPT' forwarded traffic for the LAN zone, in order for hosts in the Client network to communicate with hosts (other than directly to the router itself) on the Access Point network. E.g. (referring to the diagram) for Client Host 1 to communicate with LAN Host 1.

Apply changes

Reconfigure the wireless network.

ifup wan

Restart the firewall.

/etc/init.d/firewall restart

After setup everything works BUT client subnet cannot access internet

This is due to the reason that AP router (in this case does not masquerade client subnet (

If you cannot (or don't want to) modify AP router's firewall in deep, you can configure client router ( in the following way:
Edit the /etc/config/firewall file and locate the WAN zone definition.

config 'zone' option 'name' 'wan' option 'input' 'ACCEPT' option 'output' 'ACCEPT' option 'forward' 'REJECT' option 'mtu_fix' '1' option masq_dest ! option 'masq' '1'

Please not that in this way client router ( will masquerade everything EXCEPT AP subnet and AP router ( will handle packets from client subnet to internet and vica-versa.
This is double masquerading which works fine especially if you cannot make it work otherwise. Avoid double NATting whenever possible!!

doc/recipes/routedclient.txt · Last modified: 2014/11/29 22:07 by dpint