OpenWrt Forum Archive

Topic: WAN port as LAN port

The content of this topic has been archived between 26 Apr 2018 and 5 May 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #26
cyrus_mc
13 Jan 2010, 05:55
Void Main wrote:

Are you trying to say that you are unable to block traffic from your router to devices attached to your router with iptables because you certainly can do that. I am sure I am misunderstanding your statement though.

No, I am not saying that. The whole issue started off where the original poster wanted to bridge his WAN and LAN port but is saying that the device connected to the WAN port doesn't get an IP and thus can't ping the rest of the hosts on the bridge. Another poster said that you had to enable forwarding between LAN and LAN to which I responded, no that isn't correct.

What I said you can't do is use iptables to control traffic that goes between devices connected to the same switch (ie: eth0). The reason for that is, in the standard setup, the traffic never gets to the firewall. Now, you can probably do some funky stuff where you set your routing table, etc so that traffic has to go through the router/firewall, but in the standard setup that is not the case. You can use ebtables I believe but I don't have experience with that.

(Last edited by cyrus_mc on 13 Jan 2010, 05:56)

Post #27
Void Main
13 Jan 2010, 06:07

Oh yes, I did misunderstand. Carry on. smile

Post #28
pegasus
13 Jan 2010, 12:23

lan section

config 'interface' 'lan'
    option 'type' 'bridge'
    option 'proto' 'static'
    option 'netmask' '255.255.255.0'
    option 'macaddr' ''
    option 'ipaddr' '192.168.1.20'
    option 'ip6addr' ''
    option 'ip6gw' ''
    option 'gateway' '192.168.1.1'
    option 'dns' ' 192.168.1.1'
    option 'ifname' 'eth0 eth1'

I have disabled dhcp so I dn't think it will help. I assign the ip manually and then try to ping with no luck if and only if connected to WAN.

(Last edited by pegasus on 13 Jan 2010, 12:25)

Post #29
Void Main
13 Jan 2010, 15:02

Someone mentioned that the auto-sensing behavior on that wan port may be different than the other ports. I'm not familiar with these devices so I don't know if that is the case but if it is have you tried using a cross-over cable instead of a straight through (or the opposite depending on what you are using now) and have you tried forcing 10 or 100 full duplex, etc? Or have you verified that you were linked and both the port and the interface you plug into it are auto-negotiating properly?

Post #30
pegasus
13 Jan 2010, 16:38
Void Main wrote:

Someone mentioned that the auto-sensing behavior on that wan port may be different than the other ports. I'm not familiar with these devices so I don't know if that is the case but if it is have you tried using a cross-over cable instead of a straight through (or the opposite depending on what you are using now) and have you tried forcing 10 or 100 full duplex, etc? Or have you verified that you were linked and both the port and the interface you plug into it are auto-negotiating properly?

Thanks for your reply:
- I have tried both cross and patch cable.
- No I don't. How do I force? Sorry but I have no idea on how to do it.
- Yes: everithing is properly configured. Infact when I unplug the cable from the WAN port and plug into the lan port, the pinged computer starts responding. Windows shows ethernet connection active in both configurations but only the LAN-port-connected one works.
Thank you

Post #31
Void Main
13 Jan 2010, 16:52

I can't imagine it would be a duplex/speed negotiation issue so you can probably ignore that part, but I could see where it could have been a crossover vs strait through issue. On a Linux client you would use ethtool to turn off auto-negotiation set the speed/duplex manually, not sure how on other OSs (don't use them). Of course you would also have to set the duplex/speed manually on the switch side if you do it on the client side.

Post #32
mactalla
13 Jan 2010, 18:51
cyrus_mc wrote:
cyrus_mc wrote:
mactalla wrote:

Have you checked your firewall?

With ethernet + wifi bridged, traffic still went through the firewall and I had to edit /etc/config/firewall and add

config 'forwarding'
        option 'src' 'lan'
        option 'dest' 'lan'

to communicate between machines.  Perhaps you're hitting something similar with your WAN/LAN ports?

I don't think what you have is required or makes any sense. If it is bridged, it is essentially a single switch and it never gets up to the firewall code.

I did some experiments to verify what I said was correct. The way to look at it is like this. The firewall is 192.168.1.1. When you are communicating with devices connected via a switch (or bridge) you don't address the packet to the firewall IP, it just goes out on the wire with the IP of the destination host. Therefore, it is never picked up by the firewall for processing. Even if by some miracle it was picked up by the firewall it has no way of denying the traffic since it is not involved in the process of sending to the node.

I agree it shouldn't be necessary (based on my rather limited understanding of networking).  I got my information from here: https://forum.openwrt.org/viewtopic.php … 046#p75046

I don't know whether OP's problem is related to this, but I do know that the above solved my Wifi <-> wired communication and his symptoms appear similar.  At least it's something that's quick and easy to test.

Post #33
metamatt
17 Jan 2010, 06:44

I got this to work before with whiterussian on an wrt54g -- on whiterussian, vlan0 is the lan and vlan1 is the wan, and I moved port 0 (the "wan" port on the hardware) from its default home of vlan1 over to vlan0, and it worked just fine as a lan port.

I don't yet know kamikaze well enough to say how to do the same thing (assuming that what it calls eth0 is the equivalent of the old vlan1 and what it calls eth1 is the equivalent of the old vlan0, what jow said in the first comment would be equivalent; and maybe the routerstation has something different about its hardware layout that matters), but I just wanted to give one data point where this was possible.

Post #34
Void Main
17 Jan 2010, 15:22

There is definitely no problem using the wan port the same as any other port on any WRT I've used, I do that all the time from pre White Russian versions all the way to 8.09.2. However, it looks like the switch still isn't fully supported on that Routerstation Pro hardware. Take a look at this thread:

https://forum.openwrt.org/viewtopic.php?pid=100222

Post #35
pegasus
17 Jan 2010, 21:43

I tryed everything you suggested without any luck. It should be due to the lacking rspro switch support. At least I think.

Post #36
jow
18 Jan 2010, 06:24

I begin to suspect something... can you post the output of the following command?

sysctl net.bridge.bridge-nf-call-iptables

~ JoW

Post #37
pegasus
19 Jan 2010, 08:48

This is the output: it looks like an error:
root@OpenWrtRSP:~# sysctl net.bridge.bridge-nf-call-iptables
sysctl: error: 'net.bridge.bridge-nf-call-iptables' is an unknown key

The discussion might have continued from here.