Table of Contents
Routed Client with relayd (Pseudobridge)
In the default configuration, OpenWrt bridges the wireless network to the LAN of the device. Most wireless drivers do not support bridging in client mode (see Bridged Client Mode Issues), therfore the traffic between LAN and the wireless client must be routed. The relayd package helps to implement a bridge-like behaviour with DHCP and Broadcast relaying comparable to the proprietary Broadcom WET mode.
The steps outlined below cover the process of putting the radio into client mode and linking it with the LAN interface with the help of relayd. It is important to notice that the 192.168.2.0 network in the above picture is not going to be used by any clients, but relayd requires the lan interface be in a different subnet to work.
Configuration with Luci When using Luci you also need to install the luci-proto-relay package.
OpenWrt PseudoBridge HowTo for TL-WR703n or any other device based on package relayd and luci-proto-relay.
Repeater configurations here! Both ways, bridged and simple repeater.
If you wish to set your OpenWRT as a Wireless Ethernet Bridge through the Web UI, rather than through SSH, then scroll to the section at the bottom of this page.
These steps are for configuring throughh SSH (or similar). If you prefer to do it through the Web UI, then scroll down to the next section, near the bottom.
Configuration
The changes below assume an OpenWrt default configuration, the relevant files are:
Before doing any actual configuration, the wifi interface must be enabled in order to be able to scan for networks in the vincinity:
uci set wireless.@wifi-device[0].disabled=0 uci commit wireless wifi
- Set the disabled option to 0 (to enable wireless)
- Save changed configuration file
- Start wireless using the wifi command
Now we can list networks in range using:
- in OpenWrt 10.03 and previous, use:
iwlist scan - in 12.09, substituting your actual wireless interface for wlan0 if different:
iw dev wlan0 scanifconfiglists all available interfaces if wlan0 is not correct
'iwlist scan' output example
root@OpenWrt:~# iwlist scan
wlan0 Scan completed :
Cell 01 - Address: 00:16:01:0A:B2:8F
Channel:11
Frequency:2.462 GHz (Channel 11)
Quality=70/70 Signal level=-33 dBm
Encryption key:on
ESSID:"xmff-relay"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
Mode:Master
Extra:tsf=000000173feaf1b7
Extra: Last beacon: 100ms ago
IE: Unknown: 000A786D66662D72656C6179
IE: Unknown: 010882848B962430486C
IE: Unknown: 03010B
IE: Unknown: 2A0100
IE: Unknown: 2F0100
IE: Unknown: 32040C121860
IE: Unknown: DD090010180201F0000000
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : TKIP
Authentication Suites (1) : PSK
Cell 02 - Address: 00:14:BF:16:D4:DF
Channel:1
Frequency:2.412 GHz (Channel 1)
Quality=23/70 Signal level=-87 dBm
Encryption key:on
ESSID:"Morpheus"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 18 Mb/s
24 Mb/s; 36 Mb/s; 54 Mb/s
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 48 Mb/s
Mode:Master
Extra:tsf=0000019e5b85538f
Extra: Last beacon: 11580ms ago
IE: Unknown: 00084D6F727068657573
IE: Unknown: 010882848B962430486C
IE: Unknown: 030101
IE: Unknown: 2A0100
IE: Unknown: 2F0100
IE: Unknown: 32040C121860
IE: Unknown: DD06001018020004
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : TKIP
Authentication Suites (1) : PSK
Cell 03 - Address: 00:1A:4F:8F:48:50
Channel:4
Frequency:2.427 GHz (Channel 4)
Quality=26/70 Signal level=-84 dBm
Encryption key:on
ESSID:"FRITZ!Box Fon WLAN 7141"
Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s
Bit Rates:6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s
36 Mb/s; 48 Mb/s; 54 Mb/s
Mode:Master
Extra:tsf=00000044688c8235
Extra: Last beacon: 500ms ago
IE: Unknown: 0017465249545A21426F7820466F6E20574C414E2037313431
IE: Unknown: 010482848B96
IE: Unknown: 030104
IE: Unknown: 2A0107
IE: IEEE 802.11i/WPA2 Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : CCMP
Authentication Suites (1) : PSK
IE: Unknown: 32080C1218243048606C
IE: WPA Version 1
Group Cipher : TKIP
Pairwise Ciphers (1) : TKIP
Authentication Suites (1) : PSK
IE: Unknown: DD0A0800280101000200FF0F
IE: Unknown: DD180050F2020101800003A4000027A4000042435E0062322F00 |
- ESSID is the name of the network
- Channel specifies at which frequency the corresponding network is operating on
- The lines starting with IE: report which encryption capabilities are supported by the access point:
- IEEE 802.11i/WPA2 Version 1 indicates WPA2
- WPA Version 1 indicates WPA
- If both WPA and WPA2 are present, the network is most likely operating in WPA/WPA2 mixed mode
'iw dev wlan0 scan' output example
root@OpenWrt:~# iw dev wlan0 scan
BSS c1:9e:db:ff:af:ad(on wlan0)
TSF: 71481395591 usec (0d, 19:51:21)
freq: 2412
beacon interval: 100 TUs
capability: ESS Privacy ShortPreamble ShortSlotTime (0x0431)
signal: -56.00 dBm
last seen: 660 ms ago
Information elements from Probe Response frame:
SSID: HogardeDolly
Supported rates: 1.0* 2.0* 5.5* 11.0* 6.0* 9.0 12.0* 18.0
DS Parameter set: channel 1
ERP: <no flags>
ERP D4.0: <no flags>
RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
Extended supported rates: 24.0* 36.0 48.0 54.0
HT capabilities:
Capabilities: 0x11ce
HT20/HT40
SM Power Save disabled
RX HT40 SGI
TX STBC
RX STBC 1-stream
Max AMSDU length: 3839 bytes
DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 8 usec (0x06)
HT RX MCS rate indexes supported: 0-15
HT TX MCS rate indexes are undefined
HT operation:
* primary channel: 1
* secondary channel offset: above
* STA channel width: any
* RIFS: 1
* HT protection: no
* non-GF present: 1
* OBSS non-GF present: 0
* dual beacon: 0
* dual CTS protection: 0
* STBC beacon: 0
* L-SIG TXOP Prot: 0
* PCO active: 0
* PCO phase: 0
WPA: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
WMM: * Parameter version 1
* BE: CW 15-63, AIFSN 3
* BK: CW 15-1023, AIFSN 7
* VI: CW 7-15, AIFSN 1, TXOP 3008 usec
* VO: CW 3-7, AIFSN 1, TXOP 1504 usec
BSS 31:ff:1e:36:ed:21(on wlan0)
TSF: 36618930211 usec (0d, 10:10:18)
freq: 2437
beacon interval: 100 TUs
capability: ESS Privacy ShortPreamble ShortSlotTime (0x0431)
signal: -70.00 dBm
last seen: 380 ms ago
Information elements from Probe Response frame:
SSID: uFi_06ED61
Supported rates: 1.0* 2.0* 5.5* 6.0 9.0 11.0* 12.0 18.0
DS Parameter set: channel 6
Country: HK Environment: bogus
Channels [1 - 13] @ 20 dBm
ERP: <no flags>
Extended supported rates: 24.0 36.0 48.0 54.0
HT capabilities:
Capabilities: 0x0c
HT20
SM Power Save disabled
No RX STBC
Max AMSDU length: 3839 bytes
No DSSS/CCK HT40
Maximum RX AMPDU length 8191 bytes (exponent: 0x000)
Minimum RX AMPDU time spacing: No restriction (0x00)
HT RX MCS rate indexes supported: 0-7
HT TX MCS rate indexes are undefined
HT operation:
* primary channel: 6
* secondary channel offset: no secondary
* STA channel width: 20 MHz
* RIFS: 0
* HT protection: nonmember
* non-GF present: 0
* OBSS non-GF present: 0
* dual beacon: 0
* dual CTS protection: 0
* STBC beacon: 0
* L-SIG TXOP Prot: 0
* PCO active: 0
* PCO phase: 0
WPA: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
RSN: * Version: 1
* Group cipher: TKIP
* Pairwise ciphers: CCMP TKIP
* Authentication suites: PSK
* Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
WMM: * Parameter version 1
* BE: CW 15-1023, AIFSN 3
* BK: CW 15-1023, AIFSN 7
* VI: CW 7-15, AIFSN 2, TXOP 3008 usec
* VO: CW 3-7, AIFSN 2, TXOP 1504 usec
WPS: * Version: 1.0
* Wi-Fi Protected Setup State: 2 (Configured)
* Response Type: 3 (AP)
* UUID: f23a0b52-48fc-5f20-9a5b-3cd27cf64566
* Manufacturer: ZTE
* Model: AR6003
* Model Number:
* Serial Number:
* Primary Device Type: 6-0050f204-1
* Device name: ZTE-AP
* Config methods: Label, Display, PBC, Keypad
* RF Bands: 0x1
root@OpenWrt:~#
Step 1: Create an interface for the wireless station
Edit /etc/config/network and add a new interface, for example wwan, with proto set to dhcp:
config 'interface' 'wwan'
option 'proto' 'dhcp' |
Note that no ifname is required here since the wireless network will reference this section later.
UCI CLI commands:
uci set network.wwan=interface uci set network.wwan.proto=dhcp uci commit network
Step 2: Change the existing wireless network
Supposed we want to connect to the network called "xmff-relay", the previous scan result revealed the following information:
- ESSID is
xmff-relay - Channel is
11 - The network uses WPA(1) mode
In /etc/config/wireless, locate the existing wifi-iface section and change its network option to point to the newly created interface.
Change the mode option to sta (Station) and alter the encryption options to match those of the target network.
config 'wifi-device' 'radio0'
option 'type' 'mac80211'
…
option 'channel' '11'
config 'wifi-iface'
option 'device' 'radio0'
option 'network' 'wwan'
option 'mode' 'sta'
option 'ssid' 'xmff-relay'
option 'encryption' 'psk'
option 'key' 'secret-key' |
UCI CLI commands:
uci set wireless.radio0.channel=11 uci set wireless.@wifi-iface[0].network=wwan uci set wireless.@wifi-iface[0].mode=sta uci set wireless.@wifi-iface[0].ssid=xmff-relay uci set wireless.@wifi-iface[0].encryption=psk uci set wireless.@wifi-iface[0].key=secret-key uci commit wireless
Finally restart wifi using:
wifi down; wifiNote that if you receive
device or resource busy or command not found errors, you may need to issue a reboot command and reconnect before continuing. If you have connected successfully to the existing network, ifconfig should reveal that wlan0 (or whatever your wireless interface is called) has an IP address on the existing wireless network.
You should now be connected to the internet (you will need such connection for step 3).
Note that the router is connected to the internet via the wireless link (as a client of the AP), but the computer you are using to communicate with the router is not. Try to ping a web site from the router. If it is successful, the wireless link is functioning and that is sufficient to proceed to the next step. Do not worry that your computer cannot access the internet yet.
Step 3: Install relayd
If the relayd package is not present on the system yet, install it using:
opkg update opkg install relayd
In 12.09 and trunk versions it is also required to enable the relayd init script to function properly:
/etc/init.d/relayd enable
Step 4: Declare a relay interface
Back to /etc/config/network add another new interface, this time with the special protocol relay:
config 'interface' 'stabridge'
option 'proto' 'relay'
option 'network' 'lan wwan' |
The existing lan network and the newly created wwan network are grouped together here.
UCI CLI commands:
uci set network.stabridge=interface uci set network.stabridge.proto=relay uci set network.stabridge.network="lan wwan" uci commit network
Step 5: Add gateway and dns to the lan interface
Find the IP address of default gateway for the network you will be repeating. You should be connected to it since step 3, thus you can use the route command to find out:
route -n | grep UG
Then, still in the network configuration, add the following options under your lan interface, substituting gateway with the IP you just found:
config 'interface' 'lan'
option gateway '192.168.1.1'
option dns '192.168.1.1' |
UCI CLI commands:
uci set network.lan.gateway=192.168.1.1 uci set network.lan.dns=192.168.1.1 uci commit network
Please note, the ip address of this router (and only this!) must be in a different subnet than your existing main network, otherwise relayd will not work. This will be changed later (see below in chapter "apply changes"). This safes us an additional change on administration PC to match subnet. Note also: On final configuration, any clients on OpenWrt will use the same ip range of your main network.
Step 6: Disable the local DHCP server
Since DHCP requests from LAN will be answered by the wireless AP the router is connecting to, the local DHCP server must be disabled in order to avoid collisions later on.
Edit /etc/config/dhcp and locate the existing DHCP pool for LAN and mark it as ignored:
config 'dhcp' 'lan'
option 'interface' 'lan'
option 'start' '100'
option 'limit' '150'
option 'leasetime' '12h'
option 'ignore' '1' |
It also possible to simply remove or comment the whole section.
UCI CLI commands:
uci set dhcp.lan.ignore=1 uci commit dhcp
For enabling IPv6 properly These options have to be set for lan interface to
option ra relay
option ndp relay
option dhcpv6 relay |
UCI CLI commands:
uci set dhcp.lan.ra=relay uci set dhcp.lan.ndp=relay uci set dhcp.lan.dhcpv6=relay uci commit dhcp
Step 7: Adjust the firewall
In contrast to true bridging, packets forwarded by relayd are handled by the normal routing system internally, this means they're also affected by firewall policies set on LAN.
Edit /etc/config/firewall and locate the existing LAN zone definition, add the new wwan
to it in order to apply the same policies on LAN and the wireless client.
config 'zone'
option 'name' 'lan'
option 'input' 'ACCEPT'
option 'output' 'ACCEPT'
option 'forward' 'ACCEPT'
option 'network' 'lan wwan' |
OpenWrt, by default, ships a firewall configuration which disallows forwarded traffic within the LAN zone, means packets are not allowed to travel between multiple interfaces within it.
As outlined above, the forward policy was set to ACCEPT and both the lan and the wwan
networks are configured as members of the LAN zone.
UCI CLI commands:
uci set firewall.@zone[0].forward=ACCEPT uci set firewall.@zone[0].network="lan wwan" uci commit firewall
Step 8: Create a wireless network for repeating (optional)
If your equipment is multi-SSID capable, besides the wired interface, you can also bridge the network into a new wireless network. Just create a new network in access point (AP) mode under /etc/config/wireless:
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'RepeaterWirelessNetwork'
option encryption 'psk2'
option key 'RepeaterWirelessPassword'
option network 'lan' |
UCI CLI commands:
uci add wireless wifi-iface uci set wireless.@wifi-iface[1].device=radio0 uci set wireless.@wifi-iface[1].network=lan uci set wireless.@wifi-iface[1].mode=ap uci set wireless.@wifi-iface[1].ssid=RepeaterWirelessNetwork uci set wireless.@wifi-iface[1].encryption=psk2 uci set wireless.@wifi-iface[1].key=RepeaterWirelessPassword uci commit wireless
Apply changes
Reload the DHCP service.
/etc/init.d/dnsmasq restart
Reload the firewall.
/etc/init.d/firewall restart
Reconfigure the wireless network.
wifi down; wifi
Finally we will need to change our ip on the lan interface.
 | It is required that the lan interface on this router is in another subnet than your main network . If the target network uses the 192.168.1.0/24 subnet, you must change the LAN IP address (not the gateway) to a different subnet, e.g. 192.168.2.1 . You can determine the assigned wifi address with the following command: uci -P/var/state get network.wwan.ipaddr . /lib/functions/network.sh; network_get_ipaddr ip_wwan wwan; echo $ip_wwanUCI CLI commands to change the default LAN IP address to a different subnet is: uci set network.lan.ipaddr=192.168.2.1 uci commit network reboot |
At this point, the relayed client configuration should be finished.
Enable access from client network
After this the relay should work, however you will have trouble reaching the router from the client network if the client ip is not changed. To get to it you'll need to manually set the IP address on your computer to an IP address on the same subnet (like 192.168.2.201 if you set the router lan ip to 192.168.2.1).
This is kind of tedious, but you can set things up so you can get it from the client network.
Run ifconfig and take note of the IP address assigned to wlan0. Then tell the relayd that this is the routers IP address with the following config in /etc/config/network:
config interface 'stabridge'
option ipaddr '192.168.1.35' |
UCI CLI commands:
uci set network.stabridge.ipaddr=192.168.1.35 uci commit network
You should make sure the main router is statically assigning the relay router the same IP address all the time.
Alternately, it is possible to perform all of the above automatically using hotplug. To do this, add the following lines to /etc/hotplug.d/iface/<xx>-relay:
# enable access from client network [ "$INTERFACE" = wwan ] || exit 0 [ "$ACTION" = ifup -o "$ACTION" = ifupdate ] || exit 0 . /lib/functions/network.sh; network_get_ipaddr ip wwan; uci set network.stabridge.ipaddr=$ip uci commit network
Now, each time the wwan interface is brought up, or its IP address changes, hotplug assigns wwan's IP to stabridge.
These steps are for configuring throughh SSH (or similar). If you prefer to do it through SSH, then scroll up to the previous section, near the top.
Doing this via the Web GUI instead
These steps are for this (aka Wireless Ethernet Bridge) are exactly the same as the above instructions, but will be done through the Web Interface, rather than through a SSH connection. This has been tested on the Meraki MR18, with the LuCi web Interface.
I will be refer to this second router (that has OpenWRT) as the "Client Router". In my references, it will have an IP of 192.168.1.1, and later on 172.16.16.154 as well. It will be connecting to the "Main Router", which will have an IP of 172.16.16.1.
Step 1: Information to Note
- Your Main Router's WPA2 encryption key (aka "WiFi password")
- Your Main Router's subnet (In my example, I will use 172.16.16.0/16 which means my subnet mask is 255.255.0.0)
- Your Main Router's SSID (aka "WiFi network name")
Step 2: Initial Set-up
- Power on your Client Router
- Connect an Ethernet (RJ45) cable from your Computer to your Client Router.
- Set your computer to have a Static IP address of 192.168.1.5 and a Gateway of 192.168.1.1
- In System > Administration, make sure you have the packages luci-proto-relay and relayd-bridge installed.
Step 3: Joining the Main Router's WiFi
- Open your browser, and go to http://192.168.1.1/
- Go to the page Network > WiFi
- Beside your preferred radio, such as Radio1 (801.11an), click Scan.
- Select your Main Router's SSID (ex: Eagle)
- Enter your PSK (Wi-Fi password).
- Create a NEW Network called "wwan" or anything else you like (ex: "Quack")
- Firewall-Zone should be set to "lan".
Step 4: Create the WiFi Client Interface
- Go to the page Network > Interfaces
- Edit the above interface (called "wwan", "Quack" or whatever you chose)
- Set Protocol/Mode = DHCP Client
Step 5: Create Bridge Interface
- Go to the page Network > Interfaces
- Create a new Interface called "stabridge"
- Set Protocol/Mode = Relay Bridge
- Relay between "lan" and "wwan", "Quack" or whatever you chose)
- Local IPv4 Address for the Bridge = "172.16.16.154"
Step 6: Update the "lan" Interface
- Go to the page Network > Interfaces
- Beside "lan", click Edit.
- Set IPv4 Gateway to the IP address of your Main Router (in my case, it's 172.16.16.1)
- Set Custom DNS to also be the IP address of your Main Router (in my case, it's 172.16.16.1)
- Under the section of DHCP Server, CHECK OFF "Ignore Interface"
Step 7: Allow Firewall Forwarding
- Go to the page Network > Firewall
- Scroll down to "Zones". Beside "lan", click Edit.
- Set Forward = Accept. (Input & Output should already be set to Accept)
- Set Covered Network = "lan" (default) & "wwan", "Quack" or whatever you chose)
Step 8: Reboot Your Client Router
- Go to the page System > Reboot > Reboot Now
- On your computer, clear your static IP settings, and let the IP be retrieved automatically.
- Your Client Router should now be accessible at the address of 172.16.16.154 or whatever you chose.
- Your computer should also have an IP address in the same subnet as your Main Router (In my case, it's 172.16.16.#
- If you set your computer to the same static IP address settings as in Step 2-3, you should still be able to connect to the client router at 192.168.1.1
Step 9: Set a DHCP Reservation in the Main Router's Settings
- In your Main Router, set a static DHCP reservation for your Client Router's MAC Address. Use the SAME IP address as in Step 5-5 (In my case, it would be 172.16.16.154)
