Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
docs:user-guide:network:routedclient [2018/02/20 20:55] – ↷ Links adapted because of a move operation bobafetthotmaildocs:guide-user:network:routedclient [2019/09/22 05:38] – links updated vgaetera
Line 2: Line 2:
  
 In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. In the default configuration, OpenWrt bridges the wireless network to the LAN of the device.
-Most wireless drivers do not support bridging in client mode (see [[doc/howto/clientmode#bridged.client.mode.issues|Bridged Client Mode Issues]]) +Most wireless drivers do not support bridging in client mode, therefore the traffic between LAN and the wireless client must be routed.
-therefore the traffic between LAN and the wireless client must be routed.+
  
  
Line 9: Line 8:
  
 If you have no administrative access (e.g. ability to configure static route entries) to the target Access Point, the local LAN subnet must be //masqueraded// to ensure proper routing.\\ If you have no administrative access (e.g. ability to configure static route entries) to the target Access Point, the local LAN subnet must be //masqueraded// to ensure proper routing.\\
-When configuration of the target Access Point is possible, start with the //masqueraded// configuration below and proceed with the steps in the [[#using.routing|Using routing]] section to define a fully routed setup.+When configuration of the target Access Point is possible, start with the //masqueraded// configuration below and proceed with the steps in the [[#using_routing|Using routing]] section to define a fully routed setup.
  
 {{:doc:howto:802.11-routed-masq.png|Masqueraded}} {{:doc:howto:802.11-routed-masq.png|Masqueraded}}
Line 19: Line 18:
 The changes below assume an OpenWrt default configuration, the relevant files are: The changes below assume an OpenWrt default configuration, the relevant files are:
  
-  * [[docs:user-guide:network:basics|/etc/config/network]] +  * [[docs:guide-user:base-system:basic-networking|/etc/config/network]] 
-  * [[docs:user-guide:wifi:basic|/etc/config/wireless]]+  * [[docs:guide-user:network:wifi:basic|/etc/config/wireless]]
  
  
Line 89: Line 88:
   * ESSID is ''Vodafone-0E0301''   * ESSID is ''Vodafone-0E0301''
   * Channel is ''9''   * Channel is ''9''
-  * The network uses WPA/WPA2 mixed mode\\ +  * The network uses WPA/WPA2 mixed mode 
-\\ + 
-In ''/etc/config/wireless'', locate the existing ''[[doc:uci:wireless#wifi.networks|wifi-iface]]'' section and change its network option to point to the WAN interface. +In ''/etc/config/wireless'', locate the existing ''wifi-iface'' section and change its network option to point to the WAN interface. 
-Change the ''mode'' option to ''sta'' (Station) and alter the SSID and [[doc:uci:wireless#wpa.encryption|encryption options]] to match those of the target network. Channel doesn't necessary have to match.+Change the ''mode'' option to ''sta'' (Station) and alter the SSID and [[docs:guide-user:network:wifi:encryption|encryption options]] to match those of the target network. Channel doesn't necessary have to match.
  
 | ''config 'wifi-device' 'wlan0' | ''config 'wifi-device' 'wlan0'
Line 152: Line 151:
 In addition to the files in the [[#using.masquerade|masqueraded setup]], the relevant config files are: In addition to the files in the [[#using.masquerade|masqueraded setup]], the relevant config files are:
  
-  * [[docs:user-guide:firewall:firewall_configuration|/etc/config/firewall]]+  * [[docs:guide-user:firewall:firewall_configuration|/etc/config/firewall]]
  
 === Step 1: Change the firewall configuration === === Step 1: Change the firewall configuration ===
  
-Edit the ''/etc/config/firewall'' file and locate the WAN [[doc:uci:firewall#zones|zone]] definition.+Edit the ''/etc/config/firewall'' file and locate the WAN [[inbox:firewall:firewall3:fw3_network|zone]] definition.
 Disable masquerading and set the incoming traffic policy to ACCEPT: Disable masquerading and set the incoming traffic policy to ACCEPT:
  
Line 167: Line 166:
         option 'masq'       **'0'** '' |         option 'masq'       **'0'** '' |
  
-Proceed with adding a new [[doc:uci:firewall#forwardings|forwarding]] section allowing traffic flow from WAN to LAN:+Proceed with adding a new [[docs:guide-user:firewall:firewall_configuration#forwardings|forwarding]] section allowing traffic flow from WAN to LAN:
  
 | ''config 'forwarding' | ''config 'forwarding'
Line 217: Line 216:
 ==== After setup everything works BUT client subnet cannot access internet ==== ==== After setup everything works BUT client subnet cannot access internet ====
  
-This is due to the reason that AP router (in this case 192.168.1.1) does not masquerade client subnet (192.168.2.0/24).\\ +This is due to the reason that AP router (in this case 192.168.1.1) does not masquerade client subnet (192.168.2.0/24). 
-\\+
 If you cannot (or don't want to) modify AP router's firewall in deep, you can configure client router (192.168.2.1) in the following way:\\ If you cannot (or don't want to) modify AP router's firewall in deep, you can configure client router (192.168.2.1) in the following way:\\
-Edit the ''/etc/config/firewall'' file and locate the WAN [[doc:uci:firewall#zones|zone]] definition. \\+Edit the ''/etc/config/firewall'' file and locate the WAN [[inbox:firewall:firewall3:fw3_network|zone]] definition. \\
  
 | ''config 'zone' | ''config 'zone'
Line 300: Line 299:
 In this way requests from the **WC** lan side are allowed to reach the **WC** wan side that contains the **WP** lan network. In this way requests from the **WC** lan side are allowed to reach the **WC** wan side that contains the **WP** lan network.
  
-But we should not forget about masquerading (explained briefly at least here [[doc:uci:network]] ). By default the wan zone has masquerading, but this means that when a computer from the **WC** lan side wants to connect to a computer on the **WP** lan side, its ip will be masqueraded. Therefore we should avoid masquerading when a computer on the **WC** lan side wants to reach an IP address in the network ''192.168.10.0/24'' this is done in this way (file ''/etc/config/firewall'' ):+But we should not forget about masquerading (explained briefly at least here [[docs:guide-user:base-system:basic-networking]] ). By default the wan zone has masquerading, but this means that when a computer from the **WC** lan side wants to connect to a computer on the **WP** lan side, its ip will be masqueraded. Therefore we should avoid masquerading when a computer on the **WC** lan side wants to reach an IP address in the network ''192.168.10.0/24'' this is done in this way (file ''/etc/config/firewall'' ):
 <file> <file>
 config zone config zone
Line 323: Line 322:
 First we should enable the possibility that packets coming on First we should enable the possibility that packets coming on
 the wan side of **WC** could reach the lan side of **WC**. This the wan side of **WC** could reach the lan side of **WC**. This
-is done through forwarding (see [[docs:user-guide:firewall:firewall_configuration]] and [[inbox:doc:iptables_and_firewall]] ).+is done through forwarding (see [[docs:guide-user:firewall:start|Firewall Documentation]] and [[docs:guide-user:firewall:netfilter-iptables:iptables_and_firewall]] ).
  
 In particular we want that if a packet coming on the wan side of **WC** has the source in the network In particular we want that if a packet coming on the wan side of **WC** has the source in the network
  • Last modified: 2021/07/23 14:39
  • by someothertime